The group policy setting 'Turn off Automatic Root Certificates Update' prevents Windows from deleting certificates that it cannot verify.
If a third party has provided me with their own self-signed root certificate, I can see no other option but to turn off automatic root cert update, else their self-signed certificate will be deleted at some point due to group policy rules.
Is it insecure to disable this checking?
Do I have any other options? Can I set up more granular rules so that Windows will not delete the specific certificate, but will carry on updating the others I have installed?
Note:
I'm using a basic c# app to deploy the certificate, using the following code:
X509Certificate2 certificate = new X509Certificate2("trusted-root-cert.cer");
X509Store store = new X509Store(StoreName.AuthRoot, StoreLocation.LocalMachine);
store.Open(OpenFlags.ReadWrite);
store.Add(certificate);
store.Close();
I need to install the certificate via code, since my software is running as part of a farm of multiple machines, where it's not practical to install anything by hand.
Also, the machines are in a workgroup, NOT a domain.
Best Answer
As far as I'm aware, certificates deployed via Group Policy will not be removed when the Automatic Root Certificates Update runs.
I can't find a definite reference from MSFT. This is how I deploy private CA root certificates in my Customers' environments and I've had no problems with them being automatically removed. (Of course, now that I say that... >sigh<)