This certificate is a critical component of Microsoft’s public key infrastructure (PKI), used to secure websites, software, updates, and cloud services.
Windows periodically downloads an updated list of trusted roots via the Root Certificate Update feature (certutil -syncWithWU). If the 2011 root is ever superseded (e.g., by “Microsoft Root Certificate Authority 2017”), the old one may be moved to Disallowed or left for backward compatibility. microsoft root certificate authority 2011cer work
Before 2011, Microsoft relied heavily on the Microsoft Root Authority (issued in 1997). But by 2010, cryptographic best practices were evolving: This certificate is a critical component of Microsoft’s
The software is signed by an Intermediate CA (like the Microsoft Windows Production PCA 2011). The Intermediate CA is signed by the Root CA 2011. If the 2011 root is ever superseded (e
Or update roots manually:
In PKI, trust is hierarchical. The "Root" sits at the top. However, for security reasons, the Root CA rarely signs end-entity certificates (like a website SSL or a code-signing cert) directly.
If this root certificate is missing, expired (not possible until 2036), or untrusted, you may see: