Updating root certificates
Windows supports a lot of different root (CA) certificates from different publishers, but only those that are needed are downloaded and installed in the certificate store. If you plan on purchasing digital certificates for your IIS servers, it's a good idea to check first to see if the certificate you plan on purchasing will be trusted on Windows platforms.
To determine what root certificates are available for download by Windows, see the list of Windows Root Certificate Program Members available from http://download.microsoft.com/download/1/4/f/14f7067b-69d3-473a-ba5e-70d04aea5929/windows%20root%20certificate%20program%20members%20november%202009.pdf. When Windows needs to install a new root certificate from this list, it opens a connection to Windows Update and downloads the root certificate it needs and logs events with source CAPI2 and IDs 4100 and 4097 in the Windows Event logs. After installing the certificate you purchased on your Web servers, check this log to make sure Windows has downloaded the root certificate needed to trust the certificate you purchased.