Automatic updating of trusted root authorities
You typically use a certificate when you use a secure Web site or when you send and receive secure e-mail. Theoretically, anyone can issue certificates, but to have truly secure transactions, certificates must be issued by a trusted entity or organization. Microsoft has included a list--in Windows XP and other products--of companies and organizations that it considers trusted authorities.
Typically, when you are presented with a certificate issued by an authority that is not in the trusted authority list that is provided with your browser or operating system, you are asked if you want to establish trust in the certification authority (CA) which issued the certificate. Many users do not want to establish trust to an authority in this way, since they have limited resources to verify the trustworthiness and issuing policies of the CA
In Windows XP, you can use the Update Root Certificates function for this. When you install Windows XP, Update Root Certificates is turned on by default. With this feature turned on, if you are presented with a certificate issued by an untrusted root authority, your computer will contact the Windows Update Web site to see if Microsoft has added the CA to its list of trusted authorities. If it has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to your trusted certificate store
For more information, see Turn off automatic updating of trusted root authority certificates, Turn on automatic updating of trusted root authority certificates, and Certificate stores
