There is a set of certificates called "root certificates" that are bundled with Windows 2000 at install time. Windows needs these certificates for the proper operation of many of its functions and you should not remove or revoke them.
These are the root certificates and their functions:
Microsoft Root Authority: Used for many low-level functions that require certificate operations.
Microsoft Timestamp Root: Used for time-stamping operations.
Microsoft Authenticode Root: Used for sending secure email and signing code.
There are also two certificates by VeriSign that are used for time stamping and code publishing, and they should not be deleted either.
One thing you may notice is that the dates on the certificates listed above have expired. This is normal, because the certificates are needed for backwards compatibility -- if something was signed with that certificate once upon a time, the same certificate needs to be present to validate the signed object. The certificate may be expired, but as long as it wasn't explicitly revoked, then it's still good for validating anything that was signed when it was still in use.
Microsoft Update may routinely publish new root certificates or updates to existing ones, under the name "Root Certificate Update." These new root certificates do not replace the old ones completely for the above reasons.
Among the problems that may take place if you delete a Root Certificate: if you delete the Verisign Time Stamping certificate, Windows File Protection may be damaged and will not start. The only way to fix this is to find another Windows 2000 computer, export that machine's root certificates, and import them into the damaged computer. The procedures for exporting and importing certificates are described in Microsoft Knowledge Base article Q320878.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.
This was first published in August 2002