Microsoft Security Tech Accelerator
Dec 06 2023, 07:00 AM - 12:00 PM (PST)
Microsoft Tech Community
Certificate Trust List Size Problem Check (PKI)
Published Sep 06 2018 06:31 PM 604 Views
First published on CloudBlogs on May, 13 2013

Howdy folks! I've posted another PowerShell script which may come in handy for IT admins no matter what services you administer. You can read more about it below, and you can download it from this TechNet Script Center link .

Public Key Infrastructure (PKI) relies on the certificates which are being utilized to be issued from “trusted” authorities. Put very basically (basically enough to make PKI experts worldwide collectively wince) the certificate being used can be checked against the list to make sure there is a matching trusted issuer certificate in the trusted root list and that the issuer’s certificate passed some checks.  If the issuing certificate is missing and cannot be retrieved from the Microsoft PCA (which is not uncommon in secure corporate networks) then whatever services the certificate is being used for will likely fail.
There is a known condition which can happen where there can be too many certificates in the trusted root stores. This leads to some of them not being retrieved and may cause the trusted root check to fail and hence the services which rely on that to fail. This can be perceived as an intermittent and tough to track down problem.
This script will look at a local computer’s certificate trust list and count what is present. The problem is typically seen when there are greater than one hundred certificates in the store, so the script will show “problem detected = $true”  in that case.  The sizing of when the problem may occur is not precise since the data in certificates can may the size in memory a little different.
More information on this type of problem can be found in the Knowledge Base article “SSL/TLS communication problems after you install KB 931125”. NOTE: This issue can occur as the result of trust lists which contain too many certificates resulting from causes unrelated to the update KB 931125 however.
The script counts the number of certificates in the trusted root store on the computer and it also exports the list to a CSV file so you can review what is in it.
Sample result:
Detection Time                                        : 5/13/2013 8:20:28 AM
Problem Detected                                      : False
Computer Name                                         : TSPRING1034
Computer Role                                         : Member Workstation
Computer Domain                                       :
Number of Trusted Certificate Authorities             : 38
Number of Third Party Trusted Certificate Authorities : 23

Version history
Last update:
‎Sep 06 2018 06:31 PM
Updated by: