Automatic updating of trusted root authorities

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Automatic updating of trusted root authorities

You typically use a certificate when you use a secure Web site or when you send and receive secure e-mail. Theoretically, anyone can issue certificates, but to have truly secure transactions, certificates must be issued by a trusted entity or organization. Microsoft has included a list--in Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition; and other products--of companies and organizations that it considers to be trusted authorities.

Typically, when you are presented with a certificate issued by an authority that is not in the trusted authority list that is provided with your browser or operating system, you are asked if you want to establish trust in the certification authority (CA) which issued the certificate. Many users do not want to establish trust to an authority in this way, since they have limited resources to verify the trustworthiness and issuing policies of the CA.

In Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition, you can use the Update Root Certificates function for this. Update Root Certificates is turned on by default. With this feature turned on, if you are presented with a certificate issued by an untrusted root authority, your computer will contact the Windows Update Web site to see if Microsoft has added the CA to its list of trusted authorities. If it has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to your trusted certificate store.

For more information, see Turn off automatic updating of trusted root authority certificates, Turn on automatic updating of trusted root authority certificates, and Certificate stores.