none
Unwanted trusted root certificates keep repopulating

    General discussion

  • Odd one here.  We're running Exchange 2010 on a set of Server 2008 R2 systems split across two locations.

    A bit ago, we noticed some CAPI2 events about the list of trusted root certificates being too long on all systems.  Checked the list, and sure enough, there's about 380 in there.  Many of the names don't look familiar, and about 40 of them are already expired.

    So, removed all the entries that shouldn't be there, and all seemed well.  But just a couple weeks later, and all of the servers at one of the locations have repopulated the bad list.  Servers at the other location appear to be unaffected.

    For the life of me, I cannot figure out where these trusted root certs are coming from. 

    I already verified they're not being pushed via GPO. (http://technet.microsoft.com/en-us/library/cc738131(v=ws.10).aspx)  I also confirmed that KB 931125 was never installed on the servers. (http://support.microsoft.com/kb/2801679)

    I checked the application log but couldn't find anything specific about the certs being installed (although I was searching by cert names, not sure if there's a better event to look for).  We have the CAPI2 log enabled, but unfortunately these are very busy systems and those logs get overwritten pretty quick.

    Any ideas for where else I can look?


    • Edited by Jester4kicks Friday, November 29, 2013 6:20 PM correcting title
    Friday, November 29, 2013 6:14 PM

All replies

  • These certificates came from Windows Update. All these certificates are members of Microsoft Root Certification program. It is not recommended to disable the root certificate update, but you can disable autoupdate via Group Policy: http://technet.microsoft.com/en-us/library/cc734054(v=ws.10).aspx

    more details: http://technet.microsoft.com/en-us/library/bb457160.aspx


    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.


    Friday, November 29, 2013 7:16 PM
  • These certificates came from Windows Update. All these certificates are members of Microsoft Root Certification program. It is not recommended to disable the root certificate update, but you can disable autoupdate via Group Policy: http://technet.microsoft.com/en-us/library/cc734054(v=ws.10).aspx

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.


    I considered that, however I went through checking connectivity to windows update on these systems, and the connectivity is blocked.  I also checked the policy where you can disable the auto-checking, and it's not configured... however if the connectivity isn't there, it shouldn't matter, right?
    Friday, November 29, 2013 7:19 PM
  • There is another source for these certificates: crypt32.dll library. It maintains a local copy of certificates stored in Windows Update (though, not very up to date).

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Friday, November 29, 2013 7:33 PM
  • There is another source for these certificates: crypt32.dll library. It maintains a local copy of certificates stored in Windows Update (though, not very up to date).

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.


    Is there a process by which Windows rebuilds its trusted root cert list off of that file?  If so, is there a way to stop it?
    Saturday, November 30, 2013 6:11 PM
  • I think, it is controlled by a GPO setting.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    Monday, December 02, 2013 9:31 AM
  • I think, it is controlled by a GPO setting.

    My weblog: http://en-us.sysadmins.lv
    PowerShell PKI Module: http://pspki.codeplex.com
    Check out new: PowerShell FCIV tool.

    The only thing I can find about this just references the same GPO mentioned previously.

    I did manage to find KB 2813430, but I went through the referenced reg keys and didn't find anything that would cause the CTL to be downloaded from another share.

    Anyone else have any ideas?

    Monday, December 02, 2013 7:23 PM
  • Hi,

    Have you checked the below registry keys:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
      Set this registry key to 1 to disable auto updates for trusted CTLs.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdate
      Set the registry to 1 to enable auto updates for disallowed CTLs.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl
      This registry key configures share paths to retrieve CTLs.

    Regards,

    Yan Li


    Regards, Yan Li

    Friday, December 06, 2013 6:38 AM
    Moderator
  • Hi,

    Any update?


    Regards, Yan Li

    Monday, December 09, 2013 2:37 AM
    Moderator
  • Hi,

    Have you checked the below registry keys:

    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate
      Set this registry key to 1 to disable auto updates for trusted CTLs.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdate
      Set the registry to 1 to enable auto updates for disallowed CTLs.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl
      This registry key configures share paths to retrieve CTLs.

    Regards,

    Yan Li


    Regards, Yan Li

    I checked those and they were not present (and I believe the default behavior is to enable auto updates).  This goes along with my thinking, that updating is currently enabled, and we were just banking on the lack of connectivity to MS to prevent it from running.  We didn't take into account the existing third-party root certificates list. 

    After further investigation, I found that the third-party root certificate list had all of the extra 300+ certificates.  So we repeated the process of cleaning up the excess trusted root certs, but also made sure to remove them from the third-party list as well.  It's been about a week, and they have not returned.

    Thursday, December 12, 2013 4:47 PM