You don't need all those root certificates

As of today, Windows trusts 322 root certificates issued by 122 different organizations from 47 countries. This number is quite high, and has been steadily growing over the last few years. And it turns out many of those certificates are not needed at all by the vast majority of Windows users, can be distrusted with no ill effects of any sort.

Each of these CAs is given tremendous power over your Internet traffic, so it makes great sense to minimize the number of CAs your computer trusts. One simple way to achieve this goal is to replace the default Windows list of root CAs with the much stricter Mozilla trust list, which includes 142 roots (52 organizations - 21 countries). An even stricter option is using the Google CTL, which currently includes just 127 root certificates (48 organizations - 21 countries). For the vast majority of users, applying either set is a great way to reduce your exposure to unnecessary CAs, with no negative impact whatsoever.

Replacing the default Windows list of root CAs with the Mozilla or Google trust lists can be done manually, but is extremely time-consuming and error prone. The free version of RootIQ(*) offers a much simpler way to perform this system change:

1. Use the Quick select dropdown to select the Mozilla trust set
2. Right-click the selection and click Invert selection
3. Right-click the selection and click Distrust
   Click Yes on the confirmation dialog
   This will distrust all roots that are not part of the Mozilla trust set, except for any Microsoft OS-critical roots.
4. Use the Quick select dropdown to select the Mozilla trust set (again)
5. Right-click the selection and Trust


As of this writing, on a standard Windows 10 system, you will end up with 145 trusted roots (rather than 322 roots for the default Microsoft CTL)

(*) RootIQ, our own root certificate manager for Windows, is now available. A free version of RootIQ is available for home and evaluation use.

Written on October 17, 2020