When collecting my free personal email certificate (using IE7), I received a message dialog stating that I needed to install the “AddTrust External CA Root” certificate, and that Windows could not verify it. My question is, how come my system didn’t have this cert yet? If this is common among my intended recipients, then my certificate will be of not much value. Do the vast majority of systems have this root cert installed?
Thanks,
Tibor
Hi,
The root has been included in IE since 5.01
There are only 2 reason you would not have that root.
It has been deleted.
You started with IE5.00 and have never done a root update.
Please check Windows Updates for a root certificate update.
Its not one of the ones Microsoft has considered as ‘Critical’, so you must update manually by selecting it.
Garry
Hi Garry,
Thanks for the info! I went to Microsoft Update and, indeed, in the Optional software updates section there was a Root Certificates Update (Configure Trusted Roots and Disallowed Certificates | Microsoft Learn). This must have been it (though I can’t verify for sure since I already installed the AddTrust cert). I don’t remember having IE5.00, but as this is a 2003 machine I guess that was what it came with. I wonder why it’s an optional update – I assume average users don’t install these unless prompted. So, I hope people I’m emailing with have newer machines. 
Thanks,
Tibor
Hi,
Doing that update I am sure was the root (no pun intended) of the issue.
Not sure why Microsoft don’t consider it ‘Critical’, so people have to select it as an optional update to install.
IMHO, updating things like the root certificate store should be critical as it affects the ‘trust’ level when viewing web pages.
Certificate Authorities (CA’s) are joining the Microsoft Root Store Program or updating their existing roots in the program, so making the update critical would mean all versions of the browser would get the new/latest list of trusted root CAs into their browser.
Garry