Re: Required Root CAs and CTLs

From: David Cross [MS] (
Date: 11/20/03

Date: Thu, 20 Nov 2003 05:32:35 -0800

No, you cannot add those to a CTL, they must be left in their native form.

David B. Cross [MS]
This posting is provided "AS IS" with no warranties, and confers no rights.
"Lars Olaussen" <> wrote in message
> In the MS Knowledge Base Article 293781 there is a list of 'Trusted Root
> Certificates That Are Required By Windows 2000'.
> Would it be possible to just add these root CAs to a Certificate Trust
> List made by the own PKI implementeted? Then all the root CAs shipped
> with Windows could be removed, and only the own PKI and PKIs signed in
> CTLs would be accepted at domain workstations.
> The first goal would be to require all drivers, applications etc to be
> digitally signed. Then require all PKIs issuing these certificates to be
> approved by the own root CA; never again have to worry about rogue
> drivers and applications being signed by untrusted 'Trusted Root
> Certificate'.
> Regards,
> Lars Olaussen