Today I was working on a case for a customer where every web page he visited he got a security error in all browsers.
The main message was “Could not Establish a Trust”
It was a Windows 2008 R2 Server and after validating the name was correct on the certificate they were trying to connect to I looked at the certificate chain and verified it against the Trusted Root Certificate Store on the LocalMachine
Anyway we found that there was only 8 certificates in the Trusted Root Store which is definitely not correct!
So we need to take them from another box and import and here is a little PowerShell Script to help you do it!
First we define the Type variable which will be specifying for later that we will export a certificate
$type = [System.Security.Cryptography.X509Certificates.X509ContentType]::Cert
Next we gather all the certificates from the Trusted Root Store in a working Machine
$certs = get-childitem -path cert:\LocalMachine\AuthRoot
Finally we loop true all certificates and in my examples case we export to a .DER file in the c:\temp directory
foreach($cert in $certs)
{
$hash = $cert.GetCertHashString()
$path = "c:\temp\" + $hash + ".der"
[System.IO.File]::WriteAllBytes($path, $cert.export($type) )
}
It gives the name of the file as the Certificate Hash
And voila all the root certificates have been exported and you can copy and import on to the “broken” machine!