Skip to content

Guide to Managing Certificates in Trust Lists

A comprehensive guide to learn how to manage code-signing certificates and how to trust apps based on certificate trust.

Trusting a CERT

Trusting apps based on certificate is very easy and fast. Let's take this program as an example. HXTSR.exe signed by Microsoft Corporation

managing-certs_image_001.jpeg

After you click the program, you will see the "Trust CERT" section with a button displaying the name of the signer. Click in the name of the code-signing certificate, this will make a new window appear.

managing-certs_image_002.jpeg

You can write a name to identify this certificate in your Trust-List, or leave it as is, so the placeholder name will be used.

managing-certs_image_003.jpeg

You can additionally click "HxTsr.exe" to use that name without the need of writing a name or the default name.

managing-certs_image_004.jpeg

On "Upload to:" dropdown, you can choose where you want to upload this certificate, you can choose between your "Inheritance Tree", your "Groups I Manage" or "Groups I Manage & their subgroups".

managing-certs_image_005.jpeg

Next, when you select your "Inheritance Tree" for example, in the next dropdown you will be presented with the subgroups you have in your inheritance tree and if you select "ziggy test", then this Microsoft Corporation certificate will be upload it to the subgroup called ziggy test.

managing-certs_image_006.jpeg

Click "Show More Edit Options" to expand the options to introduce more information about this certificate.

managing-certs_image_007.jpeg

You can now enter a description and also you can add a home page url of the certificate.

managing-certs_image_008.jpeg

This is an example of how it would look like.

managing-certs_image_009.jpeg

Whenever you are ready to trust and add this cert to the subgroup of your choice, you can click "Trust This CERT".

managing-certs_image_010.jpeg

Verifying CERT Trust

Click "Show Trust-Lists" to access to your Trust-List in that specific subgroup.

managing-certs_image_011.jpeg

Click on "Apps"

managing-certs_image_012.jpeg

You now have added this Microsoft Corporation certificate to your Trust-List and all the apps that are signed with this certificate will be allowed to run. Click on the Trust-List item to see more information.

managing-certs_image_013.jpeg

After you clicked in the Trust-List item, you will see more information about it including when it was added by who and when in addition to more information.

managing-certs_image_014.jpeg

Scroll down to see more information about the certificate itself.

managing-certs_image_015.jpeg

Disabling and removing a CERT

If for some reason you do not want this certificate in your Trust-List anymore, you can remove it quickly by clicking "Distrust" first.

managing-certs_image_016.jpeg

And then clicking "Disable App". You will be shown a pop-up window confirming your actions.

managing-certs_image_017.jpeg

Click "Disable It" to remove this certificate from your Trust-List.

managing-certs_image_018.jpeg

Trust CERTs Menu

There is another way to trust certificates, Click "Trust CERTs".

managing-certs_image_019.jpeg

You will be taken to a different page, and to your right you are going to see all of the CERTs you had on your app menu, this way you can choose them all (If you really know where they all come from), or you can select one by one as you prefer. To your left, you can see the menu to add more information about this certificate or certificates.

managing-certs_image_020.jpeg

managing-certs_image_021.jpeg

This dropdown list, allow you to decide IF you want to add those certificates and add them and trust them immediately as they are added, add them but not trusting it yet (so you can make a decision later), you can also add them with a Hard Block (Malware,Denied or Distrusted policy) which means that all those apps signed by those certificates will be blocked instantly.

managing-certs_image_022.jpeg

We select the certificates we want to add to our Trust-List.

managing-certs_image_023.jpeg

We also select Spotify AB because we want to hear some music while working.

managing-certs_image_024.jpeg

After you select the certificates of your choice and fill-up all the information, you can select where (to what subgroup) you want to upload those certificates.

managing-certs_image_025.jpeg

Click this dropdown to select in which subgroup in your inheritance tree you want to upload the trust.

managing-certs_image_026.jpeg

Click "Upload" when you are ready to add trust.

managing-certs_image_027.jpeg

Click "Show Trust-Lists"

managing-certs_image_028.jpeg

Click "Apps".

managing-certs_image_029.jpeg

Click the Trust-List item you just added to see more information.

managing-certs_image_030.jpeg

As you can see, all the certs you selected, including the spotify cert were added together in one single item on your Trust-List.

managing-certs_image_031.jpeg

Editing Trust-List App or CERT

Click "Edit App" if you want to edit any information contained within this Trust-List item.

managing-certs_image_032.jpeg

For example, we want to add the word "CERTs" into the name of the Trust-List item. Click "Apply" when you finish editing.

managing-certs_image_033.jpeg

Click "Apply"

managing-certs_image_034.jpeg

Copy App(s) or CERT(s)

Click "Copy" IF you want to edit the apps or CERTs contained within this Trust-List item. You will be transported to a different page.

managing-certs_image_035.jpeg

We decided that we want to only have Microsoft CERTs in this item and we want to create another trusted item from this one, so assuming I want all the Microsoft CERTs I click "All" to select everything.

managing-certs_image_036.jpeg

Then, we uncheck "Spotify AB".

managing-certs_image_037.jpeg

We fill up the information.

managing-certs_image_038.jpeg

We choose how we want to proceed in terms of if we want it Trusted, Not trusted yet and more options to choose.

Warning: Selecting Malware, Denied, or Distrusted will apply a "Hard Block" to a certificate.

managing-certs_image_039.jpeg

In this case, we want to create a new Trust-List item, BUT, we do not want it trusted yet, so we select "Add But Don't Trust Yet" option.

managing-certs_image_040.jpeg

We select where is where we want to upload our new Trust-List item. We want to upload it somewhere in our inheritance tree.

managing-certs_image_041.jpeg

Click the second dropdown to select the subgroup of your preference located in your inheritance tree to upload the trust.

managing-certs_image_042.jpeg

When you are ready to upload, click "Upload".

managing-certs_image_043.jpeg

We see the Spotify AB cert only, which means that a new item was created in the Trust-List with the other certs only.

managing-certs_image_044.jpeg

Open your Trust-List and select "Only Mine" and look what we have, we added a new item called MICROSOFT CERTS ONLY". We added it successfully AND it was not trusted yet as we said in the previous step. Click the item for more information.

managing-certs_image_045.jpeg

Right after you clicked to see more information, you will notice that the Spotify AB certificate was not added, but rather we only have the four certs that we selected.

managing-certs_image_046.jpeg

Enabling a Distrusted App or CERT

If you have made the decision to trust these four certificates within this Trust-List item, you can click "Trust" to enable this item in the Trust-List.

managing-certs_image_047.jpeg

Disabling a Distrusted App or CERT

If you decide that you are no longer going to use those four certificates within this Trust-List item, you can click "Disable" to remove it together with those four certificates.

Note that we covered distrusting and disabling a Trust-List item earlier in this guide, the purpose of covering it again is to show that you can have more than one element within a Trust-List item, in the first example you have only one certificate and distrusting that one certificate will deactivate the trust for that certificate, in this specific example, if you disable a Trust-List item that contains four certificates, it is the same as disabling those four certificates trust at once.

managing-certs_image_048.jpeg

If you are sure about this action, click "Disable it".

managing-certs_image_049.jpeg

This is a quicker option to trust a cert that it was already added to your Trust-List, but has not been trusted yet. If you do not want to enter and expand the details. Just click the "Trust" button and it will be automatically trusted.

managing-certs_image_050.jpeg

Click "Distrust" to distrust the item on a very quick way.

managing-certs_image_051.jpeg

Click "Trust" to trust the item on a very quick way.

managing-certs_image_052.jpeg

Export Fingerprint File

If you want to export this item as a "Fingerprint File" to export it physically to another subgroup through the top menu option called "Add fingerprints" (Close to the "Show Trust-List" button").

managing-certs_image_053.jpeg