Guide to Managing Certificates in Trust Lists
A comprehensive guide to learn how to manage code-signing certificates and how to trust apps based on certificate trust.
Trusting a CERT
Trusting apps based on certificate is very easy and fast. Let's take this program as an example. HXTSR.exe signed by Microsoft Corporation
After you click the program, you will see the "Trust CERT" section with a button displaying the name of the signer. Click in the name of the code-signing certificate, this will make a new window appear.
You can write a name to identify this certificate in your Trust-List, or leave it as is, so the placeholder name will be used.
You can additionally click "HxTsr.exe" to use that name without the need of writing a name or the default name.
On "Upload to:" dropdown, you can choose where you want to upload this certificate, you can choose between your "Inheritance Tree", your "Groups I Manage" or "Groups I Manage & their subgroups".
Next, when you select your "Inheritance Tree" for example, in the next dropdown you will be presented with the subgroups you have in your inheritance tree and if you select "ziggy test", then this Microsoft Corporation certificate will be upload it to the subgroup called ziggy test.
Click "Show More Edit Options" to expand the options to introduce more information about this certificate.
You can now enter a description and also you can add a home page url of the certificate.
This is an example of how it would look like.
Whenever you are ready to trust and add this cert to the subgroup of your choice, you can click "Trust This CERT".
Verifying CERT Trust
Click "Show Trust-Lists" to access to your Trust-List in that specific subgroup.
Click on "Apps"
You now have added this Microsoft Corporation certificate to your Trust-List and all the apps that are signed with this certificate will be allowed to run. Click on the Trust-List item to see more information.
After you clicked in the Trust-List item, you will see more information about it including when it was added by who and when in addition to more information.
Scroll down to see more information about the certificate itself.
Disabling and removing a CERT
If for some reason you do not want this certificate in your Trust-List anymore, you can remove it quickly by clicking "Distrust" first.
And then clicking "Disable App". You will be shown a pop-up window confirming your actions.
Click "Disable It" to remove this certificate from your Trust-List.
Trust CERTs Menu
There is another way to trust certificates, Click "Trust CERTs".
You will be taken to a different page, and to your right you are going to see all of the CERTs you had on your app menu, this way you can choose them all (If you really know where they all come from), or you can select one by one as you prefer. To your left, you can see the menu to add more information about this certificate or certificates.
This dropdown list, allow you to decide IF you want to add those certificates and add them and trust them immediately as they are added, add them but not trusting it yet (so you can make a decision later), you can also add them with a Hard Block (Malware,Denied or Distrusted policy) which means that all those apps signed by those certificates will be blocked instantly.
We select the certificates we want to add to our Trust-List.
We also select Spotify AB because we want to hear some music while working.
After you select the certificates of your choice and fill-up all the information, you can select where (to what subgroup) you want to upload those certificates.
Click this dropdown to select in which subgroup in your inheritance tree you want to upload the trust.
Click "Upload" when you are ready to add trust.
Click "Show Trust-Lists"
Click "Apps".
Click the Trust-List item you just added to see more information.
As you can see, all the certs you selected, including the spotify cert were added together in one single item on your Trust-List.
Editing Trust-List App or CERT
Click "Edit App" if you want to edit any information contained within this Trust-List item.
For example, we want to add the word "CERTs" into the name of the Trust-List item. Click "Apply" when you finish editing.
Click "Apply"
Copy App(s) or CERT(s)
Click "Copy" IF you want to edit the apps or CERTs contained within this Trust-List item. You will be transported to a different page.
We decided that we want to only have Microsoft CERTs in this item and we want to create another trusted item from this one, so assuming I want all the Microsoft CERTs I click "All" to select everything.
Then, we uncheck "Spotify AB".
We fill up the information.
We choose how we want to proceed in terms of if we want it Trusted, Not trusted yet and more options to choose.
Warning: Selecting Malware, Denied, or Distrusted will apply a "Hard Block" to a certificate.
In this case, we want to create a new Trust-List item, BUT, we do not want it trusted yet, so we select "Add But Don't Trust Yet" option.
We select where is where we want to upload our new Trust-List item. We want to upload it somewhere in our inheritance tree.
Click the second dropdown to select the subgroup of your preference located in your inheritance tree to upload the trust.
When you are ready to upload, click "Upload".
We see the Spotify AB cert only, which means that a new item was created in the Trust-List with the other certs only.
Open your Trust-List and select "Only Mine" and look what we have, we added a new item called MICROSOFT CERTS ONLY". We added it successfully AND it was not trusted yet as we said in the previous step. Click the item for more information.
Right after you clicked to see more information, you will notice that the Spotify AB certificate was not added, but rather we only have the four certs that we selected.
Enabling a Distrusted App or CERT
If you have made the decision to trust these four certificates within this Trust-List item, you can click "Trust" to enable this item in the Trust-List.
Disabling a Distrusted App or CERT
If you decide that you are no longer going to use those four certificates within this Trust-List item, you can click "Disable" to remove it together with those four certificates.
Note that we covered distrusting and disabling a Trust-List item earlier in this guide, the purpose of covering it again is to show that you can have more than one element within a Trust-List item, in the first example you have only one certificate and distrusting that one certificate will deactivate the trust for that certificate, in this specific example, if you disable a Trust-List item that contains four certificates, it is the same as disabling those four certificates trust at once.
If you are sure about this action, click "Disable it".
This is a quicker option to trust a cert that it was already added to your Trust-List, but has not been trusted yet. If you do not want to enter and expand the details. Just click the "Trust" button and it will be automatically trusted.
Click "Distrust" to distrust the item on a very quick way.
Click "Trust" to trust the item on a very quick way.
Export Fingerprint File
If you want to export this item as a "Fingerprint File" to export it physically to another subgroup through the top menu option called "Add fingerprints" (Close to the "Show Trust-List" button").