What are Root Certificates for Windows?

Certificates are like a confirmation that the message sent to you is original and not tampered with. Of course, there are methods to fake the confirmations like the Lenovo’s SuperFish certificate – and we’ll talk about it in a while. This article explains what are Root Certificates in Windows and if you should update them – because Windows always shows them as non-critical updates.


How does Public Key Cryptography work

Before talking about Root Certificates, it is necessary to take a look at how cryptography works in the case of web conversations, between website and browsers or between two individuals in the form of messages.

There are many types of cryptography out of which, two are essential and are used extensively for different purposes.

  1. Symmetric cryptography is used where you have a key, and only that key can be used to encrypt and decrypt messages (mostly used in email communications)
  2. Asymmetric cryptography, where there are two keys. One of those keys is used to encrypt a message while the other key is used to decrypt the message

Public key cryptography has a public and a private key. Messages can be decoded and encrypted using either of the two. Use of both the keys is essential to complete a communication. The Public key is visible to everyone and is used to make sure that the origin of the message is exactly the same as it appears to be. The Public key encrypts the data and is sent to the recipient having the public key. The recipient decrypts the data using the Private key. A trust relation is established, and the communication continues.

Both the public and private key contain information about the Certificate Issuing Authority such as EquiFax, DigiCert, Comodo, and so on. If your operating system considers the certificate issuing authority as trustworthy, the messages are sent back and forth between the browser and the websites. If there is a problem identifying the certificate issuing authority or if the public key is expired or corrupt, you will see a message saying There is a problem with the website’s certificate.

Now talking about public key cryptography, it is like a bank vault. It has two keys – one with the branch manager and one with the user of the vault. The vault opens only if the two keys are used and matched. Similarly, both the public and private key are used while establishing a connection with any website.

What are Root Certificates in Windows

Root Certificates are the primary level of certifications that tell a browser that the communication is genuine. This information that the communication is genuine is based upon the identification of certification authority.  Your Windows operating system adds several root certificates as trusted so that your browser can use it to communicate with websites.

This also helps in encryption of communications between the browsers and websites and automatically makes other certificates under it, valid. Thus certificate has many branches. For example, if a certificate from Comodo is installed, it will have a top level certificate that will help web browsers communicate with websites in an encrypted fashion. As a branch in the certificate, Comodo also includes email certificates, which will automatically be trusted by browsers and email clients because the operating system has marked the root certificate as trusted.

Root Certificates determine if a communication session with a website should be opened. When a web browser approaches a website, the site gives it a public key. The browser analyses the key to seeing who is the certificate issuing authority, whether the authority is trusted according to Windows, the expiry date of the certificate (if the certificate is still valid) and similar things before proceeding to communicate with the website. If anything is out of order, you will get a warning, and your browser may block all communications with the website.

On the other hand, if everything is fine, messages are sent and received by the browser as communication happens. With every incoming message, the browser also checks the message with its own private key to see it is not a fraudulent message. It responds only if it can decrypt the message using its own private key. Thus, both keys are required to carry on the communications. Furthermore, all the communications are carried forward in encrypted mode.

Fake Root Certificates

There are cases where companies, hackers etc. have tried to dupe the users. The recent case of an invalid certificate being trusted as root is still doing the rounds. This was the ‘SuperFish’ certificate in Lenovo computers. The Superfish adware installed a root certificate that seemed legitimate and allowed browsers to carry on communications with websites. However, the encryption system was so weak it could easily be pried upon.

Lenovo said it wanted to enhance the shopping experience of users and instead exposed their private data to hackers on the prowl on the Internet. This private data could be anything, including credit card information, social security number etc. If you have a Lenovo machine, make sure you do not have the adware installed by checking out the trusted certificates in your browsers. If there is one, update and run Windows Defender to get rid of the certificate. There is also an automatic removal tool released by Lenovo.

You can check for unsigned or untrusted Windows Root Certificates using Root Certificates Scanner or SigCheck.


Root Certificates are important so that your browsers can communicate with the websites . If you delete all the trusted certificates, out of curiosity or to stay safe, you will always get a message that you are on an untrusted connection. You can download trusted root certificates via the Microsoft Windows Root Certificates Program, if you think you do not have all the proper root certificates.

You should always check the non-critical updates once in a while to see if there are updates available for root certificates. If yes, download them using Windows Update only and not from third party sites.

There are fake certificates too but chances of you getting the fake certificates are limited – only when your computer manufacturer adds one to the list of trusted root certificates as Lenovo did or when you download root certificates from third party websites. It is better to stick to Microsoft and let it handle the root certificates rather than going on your own to install them from anywhere on the Internet. You can also see if a root certificate is trusted by opening it and running a search on the name of certificate issuing authority. If the authority seems reputed, you can install it or keep it. If you cannot make out the certificate issuing authority, it is better to remove it.

In a week or two, we will see how to manage Trusted Root certificates.

Posted by on , in Category Windows with Tags
Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.


  1. Peter C.

    “The Private key encrypts the data and is sent to the recipient having the public key. The recipient decrypts the data using the public key.”

    Isn’t that backwards?

  2. Dean

    “Isn’t that backwards?”
    Yes – you are correct. The article is wrong. The public key is used to encrypt and the private to decrypt.

  3. Of course, I somehow ended up writing it the other way. Thanks for pointing this out. 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

1 + 8 =