Microsoft script includes CA certs that don't have server-auth EKU

[nabla-c0d3]

The script for fetching the Microsoft trust store takes all certificates including certs that do not have the server-auth EKU, ie. that are not meant to be used for issuing web server certs. This might be the intended behavior but I thought I'd let you know just in case.

[jschlyter]

Thanks for the heads up! Yes, this is intentional - we want to capture all trusted CAs. On the other hand, the metadata might useful. I'll look into this.