Scan your Windows computer for untrusted root certificates

Root certificates are one core building block of today's Internet. They are used to verify connections and a list of trusted certificates ships with operating systems such as Windows which makes them more trustworthy than certificates added to the operating system by third-parties.

For end users, it is nearly impossible to tell which certificates are legitimate and which are not. While it is possible to display them all in a list in the Microsoft Management Console, there is no telling which ship with Windows, which are added by third-parties and which of them are legit and which are not, at least not on first glance.

The free program RCC attempts to change that by scanning Windows and Firefox root certificate stores to display certificates that should be looked at more closely.

While the website of the author does not reveal how that is done, the most likely explanation is that it takes Microsoft's list of trusted root certificates into account at the very least and compare it to root certificates installed on the machine.

The program needs to be run from the command line:

1. Download and extract it to a location on your system.
2. Tap on the Windows-key, type cmd and hit enter.
3. Navigate to the location of the extracted file on your system using the cd command, e.g. cd c:\users\martin\downloads
4. Type rcc and hit enter.

The scan does not take long and the most interesting information are highlighted in red by the program. Interesting does not necessarily mean a rogue certificate though.

This means that you need to research them manually to find out more about them. While you could delete them right away, it might prevent services from running properly on your system if you do.

Find out more about a certificate

You need to use a different program to find out more about listed root certificates.

1. Tap on the Windows-key, type mmc and hit enter.
2. Select File > Add/Remove Snap-Ins from the menu bar at the top.
3. Select Certificates, then user account and finish.
4. Click ok.
5. Expand the list of certificates and open trusted root certification authorities from the listing.
6. Locate the certificates that the scanner listed in its interface.

The console may list additional information about it, for instance the company that issues it, its intended purpose or when it is expiring.

To remove a certificate from the list, select it and hit the delete key on the keyboard afterwards. Before you do that, you may want to search the Internet for information about a certificate.

You may be able to identify some right away, for instance if a company name is used. That way you can tell right away if the certificate is still required or not on your system. If you don't use the company's services or products anymore on it, it is likely that it is not needed anymore.

Verdict

RCC is a useful program. It is portable and scans a system's and Firefox's root certificates to highlight certificates that you should investigate more closely to make sure rogue certificates are not installed on the computer system.