Microsoft says: Don't delete expired root certificates in Windows

[German]I'm bringing up again a hanging topic 'expiring certificates'. At the end of the year, some root certificates expire. However, these may not be deleted under Windows under any circumstances, since otherwise it comes to problems.


Short review of the topic

Owners of devices that no longer receive updates face the problem that digital certificates may expire there. In the blog post Expired certificates kick IoT devices out of business I had already pointed out in the summer of 2020 that a bitter end could loom for smart devices such as smart TVs, refrigerators or other IoT devices (smart speakers, thermostats, etc.). When the AddTrust External CA [Certificate Authority] root expired in May 2020, various devices suddenly stopped working. Owners of older smartphones and tablet PCs also no longer receive updates and thus no longer receive updated certificates.

Zum Jahreswechsel 2020/2021 laufen Root-Zertifikate aus

(Click twice to zoom)

I had pointed out in the blog post Will expired certificates kicks unpatched older devices at the end of 2020 out of business? that some certificates expire on Windows at the end of the year 2020. Blog reader Karl had raised this question on Twitter.

Microsoft warns: Do not delete expired certificates

German blog reader Alexander Meckelein pointed out a pitfall with expired certificates (colleagues at Bleeping Computer addressed in this article). Back in September 2020, Microsoft published the document Required trusted root certificates. This article lists the trusted root certificates required by Windows operating systems to run correctly.

The article itself is already extremely strange, as it originally applied to Windows 7 Service Pack 1 and Windows Server 2012 R2, but has a revision date of September 8, 2020. However, the tables with the root certificates required by the operating systems refer to Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2.


All of these operating system versions are out of support, even if Microsoft still offers the Extended Support Update program for Windows 7 SP1 / Windows Server 2008 R2. And some certificates mentioned in the document have long since expired. Administrators might get the idea to remove these expired root certificates from the system to do some housekeeping, so to speak. 

However, the key point that comes to light in this article is the statement: The root certificates that are listed in the document as necessary and trusted are required for the correct operation of the operating system. Removing these certificates could limit the functionality of the operating system or cause the computer to fail. Therefore, even expired certificates must not be removed from the Windows certificate store. This is because these certificates are required for backward compatibility. As long as expired certificates are not revoked, they can be used to validate anything signed before their expiration date Should be kept in mind regarding this issue.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Windows and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *