Every Website Shows SSL certificate warning - updroots.exe

The Error

 I had a user report to me that all websites whether it be in IE, Chrome etc. all displayed certificate warnings. It was the same for all users on the computer.

This was strange to me because even https://www.google.com displayed the warning. When checking the cert from google and the trusted root certificate it all looked good but still said the certificate couldn't be trusted. This image shows the window on a known working computer:



Troubleshooting

While it is important to note that this could be a sign that you are the victim of a MITM attack this was not the case for the computer I was troubleshooting. I've seen this behavior before and almost every time it happens the system clock was wrong, so always check that the date (including year), time, and timezone are correct by right clicking the clock in the system tray and going to Adjust date/time . The computer in question actually did have the right date/time but wrong time zone settings. Changing the time zone and rebooting however did not fix the problem. 

If that doesn't do the trick try clearing the SSL State in IE > Tools > Internet Options > Content > Clear SSL State

I attempted all of these techniques with no luck, so finally I decided to compare the list of trusted root certificates in IE > Tools > Internet Options > Content > Certificates > Trusted Root Authorities to a known working computer, and I noticed that on the computer with the issue there were significantly less entries than on a known working computer.


Solution

At this point I determined that I need to rebuild the Trusted Root Certification Authorities store on the problem PC.

Microsoft used to offer the download for rootsupd.exe but it seems the file was taken down by Microsoft and cannot be downloaded on their site. Fortunately, you should be able to find copies of the file from other trusted sources online.

Once you have the file you will need to do the following:

  1. open an administrator, CD to the directory you saved rootsupd.exe and type rootsupd.exe /c /t:C:\temp
  2. CD to the temp directory and type the following commands one at a time:
  3. updroots.exe authroots.sst
  4. updroots.exe updroots.sst
  5. updroots.exe -l roots.sst
  6. updroots.exe -d delroots.sst
After doing this I now see that the Root Trusted Certification Authority list was as long as the list on a known working computer and the user is now able to access all sites without the SSL certificate warning.

Hope this helps and good luck!