15 Juni 2012 2:41
I was hoping you may be able to assist me in updating the root certificates for my Windows 2008 R2 servers.
I was looking to update the root certificates for all our server estate and it appears that I can do this using WSUS/windows update for Windows 2008 via a windows update cab file from this url, http://catalog.update.microsoft.com/v7/site/Search.aspx?q=931125.
However this site only lists Windows 2008 and not Windows 2008R2. The following url describes updates for Windows 2008 R2 http://support.microsoft.com/kb/931125
“Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 The automatic root update mechanism is enabled on Windows Server 2008 and later, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partially, equivalent to the support on Windows XP.”
I’d prefer to use WSUS to deploy as opposed to the method for disconnected networks downloading CAB files and using Group Policy, as WSUS would automate future updates, whereas the method for disconnected networks would require regular maintenance.
We have disabled access to Windows Update through group policy, so devices can’t automatically update their root certificates directly from the internet.
Any suggestions, please let me know,
27 Juni 2012 23:39Moderator
All of this is somewhat moot, given recent developments, but the point of the above is that KB931125 is only applicable to Windows XP and Windows Server 2003 because those systems did NOT support automatic updating of the Root Certificates store.
Vista and later systems do, by enabling the OS Feature "Update Root Certificates", and ensuring the client system has Internet access on port 80 (typically only an issue for Windows Server systems). Disabling access to Windows Update does not preclude the Update Root Certificates functionality. Blocking the firewall port would.
Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
Product Manager, SolarWinds
Microsoft MVP - Software Distribution (2005-2012)
My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
28 Juni 2012 9:17
Thanks for the response Lawrence,
I didn't realise that disabling Windows Update doesn't preclude Update Root Certificate functionality. I have some Windows 2008 R2 servers within the DMZ that don't have direct internet access, so was hoping to use WSUS to update them. WSUS seems to be able to update Windows 2008 servers, however not R2 servers as there doesn't appear to be an update for them specifically.
Looks like I may have to use Group Policy as an interim measure.
24 Juli 2012 21:56
Hi, I too have the same issue of not being able to install Root Certificates on disconnectd 2008 R2 machines. However, I have a question. I understand how to publish and update these via group policy, but how do I download them to being with? I have no 2008R2 Server that has connectivity to the internet so I cannot update them to begin with and as was mentioned, there is no download package available. So, does this mean that I Must connect a 2008R2 machine to the internet to download the Root Update package to begin with, or is there another way?
25 Juli 2012 0:48
I believe that this URL will allow you to download the files themselves, http://www.microsoft.com/en-us/download/details.aspx?id=29434, You thereafter install the exe, which loads them into the Trusted Root CAs of your machine. You can then export them through Certificates (Computer) mmc and then use GPOs to import them into the Group Policy. I believe you should be able to complete this on a Windows 2008 server without issue, although I'd do the GPO importing on a Windows 2008 R2 machine to reduce the chance of GPO corruption.
- Disarankan sebagai Jawaban oleh antwesor 25 Juli 2012 16:14