How To remove or block certificates in Windows

The following tutorial works on every Windows, from 7 up to 10 so don’t worry if the screenshots looking slightly different but the process is exactly the same. But why should you remove some certificates? Simply to avoid spying or traffic redirects and other certificate frauds.

certmgr.msc
certmgr.msc is present in all Windows versions and quickly shows all install certificates.

Why should you remove or mess manually with certificates?

Windows users who use Internet Explorer, Firefox, Edge or Chrome – or basically any program that rely on the Microsoft Certificate Store – could be vulnerable to a miss-issuance from ‘fake’ certificates or the ones which trying to act like a Man-in-the-Middle attack, particularly when using the Internet from within Iran, Thailand, Syria,…

One of the simplest ways of mitigating this vulnerability, is to actively distrust several certificates.

The certificate weaknesses are:

  • SHA1, MD5 and MD2 signing algorithms are all deprecated and can easily be forged with today’s consumer grade computing power.
  • Key entities listed (Thawte, Symantec/Verisign, & Equifax) have had historical data integrity compromises that have been widely reported.
  • There is absolutely no reason why these certificates that are not on Microsoft’s approved list of root certificate trust signing authorities need or should be on any corporate or personal computers.
  • Usage of these certificates by any organization would allow for antivirus and other security software to be rendered in effective and a compromise not easily detected by the end users.

The most popular example seems to be the Equifax example.

Why can’t I remove all certificates?

This will cause certificate warnings like those below to appear when it is used. Prohibiting the connection without consent.

Certificate warning
Each browser has it’s own certificate warning. So it looks different in every Browser but it overall says the same.

The ultimate goal would be to find all certificates which you don’t need and block the rest, since this is based on your location you need to test yourself which certificate is needed and which not. Keep in mind that every OS temporarily download certificates in a ‘invisible’ store which you can’t see or access, however, this won’t bypass certificates you blocked manually. Removing is not really optimal – blocking is in general better.

There are two methods of disabling the certificate in question, either via the Windows Desktop, or via the command line.

Removing the Certificate via the Windows Desktop

Open the Microsoft Management Console (mmc) [Press Windows Key + R and type mmc] alternatively you can bypass this and call the store directly, via certmgr.msc which shows the system-wide certificate store.

certmgr RUN

gr
Drag & Drop the certificate into the ‘untrusted’ storage deletes the certificate automatically.

Since this isn’t documented I’m not 100% sure if it also automatically ‘blocks’ the certificate, so I suggest you also ‘disable’ (block) the certificate manually.

Disable certificates
Right-click on the certificate gives you bunch of options.

Removing the Certificate via the Command Line

  • Open Command Prompt [Press Windows Key + R] and type cmd and press enter.
  • Download the latest certificates from Windows Update, type the following into Command Prompt window: certutil -syncwithwu %temp%
  •  Update the certificates in the trust store to reflect those retrieved from Windows update type the following into Command Prompt window: for /f %i in (‘dir /s/b %temp%\*.crt’) do certutil -verify “%i
  • The text should start scrolling up within the Command Prompt window, and the process will take a couple of minutes to return to the prompt.
  • Add your certificate to the Disallowed store object, using its SHA1 hash: certutil -addstore DISALLOWED %temp%\66F2DCFB3F814DDEE9B3206F11DEFE1BFBDFE132.crt

How do I find bad certificates?

There two methods, you can search the Internet manually or you use RCC which is a little utility which scans the Windows and Mozilla certificate store against unknown or bad certificates and lists them.

RCC-768x448
Red certificates are the unknown or dangerous ones. Some malware also installing their own certificates in order to bypass AV products and their package inspectors. In this example some AV programs installed their own certificates in order to tunnel the traffic trough their own certificates to allow them to inspect the traffic.

How do I search for the specific hash to find the certificates more quickly?

findcertchecksum
Right-click on ‘Certificates – Current User’ in order to reveal the ‘Find Certificates…’ dialog.

certmgr.mscchecksums

This allows you to search for the checksums (found by eg. RCC) or via Internet directly and lists the certificate. You can filter the search result how you like. My advice is to block all invalid certificates, the ones which are expired and the ones which you not need in order to block other authorities to possible sniff on your traffic.

Important notice

It should be mentioned that every Browser and Windows itself checking automatically their certificates and there is some blacklist mechanism which gets regularly checked, however this is mostly not quite accurate since it’s depending if Mozilla, Google or Microsoft need to decide to remove or block the certificate or not. Typically Windows by itself checks every 24 hours once if there new certificates or blocked ones, however some ‘smart’ people disabling smartscreen and blocking explorer.exe & svchost.exe with a firewall, this is not recommend otherwise the list never gets updated automatically in the background.

Final Words

Blocking certificates is a good thing, especially if you care about your privacy. It’s not so complicated to monitor with mentioned tools and simply keep track of it here and then and you stay secure – without any AV. The Browser and the OS already have some mechanism to block certificate frauds but it doesn’t work always and you should regularly check if there are some unwanted certificates in your storeto ensure nothing compromised you.

Advertisements

Comments are closed.

Blog at WordPress.com.

Up ↑

%d bloggers like this: