Windows – way to quickly disable all trusted root certificates in Windows 7

ssl-certificatewindows 7

(I've posted this earlier to superuser)

I'd like to temporarily disable all trusted root certificates and wondering if there is a quicker way than going through every single one of them, right-click Properties and selecting "Disable all purposes for this certificate" (and then trying to find where I left off after the list in mmc scrolls back to the top)?

Best Answer

Just as @Grant mentioned, Powershell can be used to remove (effectively disabling) the certificates from the store. An export can be done prior to the removal so you can re-import them back to the store.

To export & remove from the store:

Add-Type -AssemblyName System.Security

$exportPath = 'c:\temp\certexport'

$certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList 'Root', 'LocalMachine'

$certStore.Open('ReadWrite')

foreach ($cert in $certStore.Certificates) {

    # Export cert to a .cer file.
    $certPath = Join-Path -Path $exportPath -ChildPath "$($cert.Thumbprint).cer"
    [System.IO.File]::WriteAllBytes($certPath, $cert.Export('Cert'))

    # Remove the cert from the store.
    $certStore.Remove($cert)

}
$certStore.Close()

To re-import them back to the store:

Add-Type -AssemblyName System.Security

$exportPath = 'c:\temp\certexport'

$certStore = New-Object System.Security.Cryptography.X509Certificates.X509Store -ArgumentList 'Root', 'LocalMachine'

$certStore.Open('ReadWrite')

Get-ChildItem -Path $exportPath -Filter *.cer | ForEach-Object {

    $cert = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Certificate($_.FullName)

    $certStore.Add($cert)
}
$certStore.Close()