none
Update for Root Certificates

    Question

  • Hi,

    Actually, due to proxy problems, we have prohibited Windows clients from automatically updating their Trusted Root Certificates Authorities. We manage this by deploying the "Update for Root Certificates [November 2009] (KB931125)" update using WSUS.

    Most of our workstations are Windows XP, and now we are working on deploying Windows 7. How can we handle the problem described above?
    I mean, the Update for Root Certificates is designed for Windows XP. I see that Windows 7 workstations won't receive it from WSUS. We tried to manually install the update on some machines and it worked, but it will be a hard task to update all machines manually :o)

    Tks in advance,
    Eduardo

    Tuesday, March 23, 2010 3:11 PM

All replies

  • From what I see, this update is only needed for XP PCs and Windows 7 doesn't need it.

    "A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
    Tuesday, March 23, 2010 3:52 PM
  • I thought that too, but some web sites here uses Usertrust certificates, and for some reason they are not trusted by an out-of-box Windows 7. The web sites are only trusted after manually installing the root certificate in the Trusted Root store (which is painfull for the users to do) or installing the update above.

    Wednesday, March 24, 2010 12:46 PM
  • You can download the package of KB931125, then use the command “DISM” to add this package to the Windows 7 image. Then you may deploy Windows 7 with this image.

    Operating System Package Servicing Commands


    Arthur Xie - MSFT
    Thursday, March 25, 2010 8:42 AM
    Moderator
  • Ok, it's a good option. But I still need to update the Windows 7 desktops that are already running :)

    The perfect resolution for me would be an "Update for Root Certificates" for Windows 7.

    Anyway, thanks for the info Arthur!

    Thursday, April 01, 2010 10:29 PM
  • Hi,

    Currently we cannot download the update package manually. It needs to be installed via Windows Update. Therefore as you mentioned, you need to install a sample Windows 7 system and apply that update. Then get the package from the system.


    Arthur Xie - MSFT
    Friday, April 02, 2010 4:55 AM
    Moderator
  • Sorry, but what's the name of this package on Windows 7? I've searched for it, but couldn't find it.

    We have WSUS here too, but again I couldn't find the package in it. The package "KB931125" is the one that's only for Windows XP...

    Thursday, April 08, 2010 2:32 PM
  • Just to let you know, I've managed how to solve this problem.

    On Windows XP, the "automatic update of root certificates" feature doesn't know how to work behind a proxy. It tries to directly download the new root certificates, but gets blocked by our proxy. To stop the crypt32 errors from showing up on Event Log, we disabled this feature (by GPO).

    But now on Windows 7 I've just found that this same feature knows that it's behind and proxy, and even asks for authentication. The update is automatically triggered every time the user faces a still unknow certification authority. I just re-enabled the feature on our domain policy, and it worked perfectly!

    Some additional info: http://technet.microsoft.com/en-us/library/cc749331%28WS.10%29.aspx

    BTW, now I'm pretty sure that there isn't any kind of KB931125 for Windows 7

    Monday, June 07, 2010 1:30 PM
  • Eduardo,

    I'm in agreement with you that KB931125 doesn't seem to be applicable to Windows 7. As far as I know, the CryptoAPI 2.0 (Cryptography Next Generation -- CNG) engine in Windows 7 automatically engages an update process in the background when it encounters a certificate that it doesn't trust. If the computer has access to the Internet, then it will automatically obtain the latest trusted root CA cab file from:

    http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

    What's interesting is that if I download the above file manually and then extract it, I can right-click on the certificate trust list (STL) file and click install CTL. So, theoretically if I needed to push the trusted root CA updates to systems that can't access the above URL, I could download this CAB file, and extract it. But then I think we're at a crossroads of two options:

    1) Import the STL file into a package distribution mechanism such as System Center Configuration Manager (SCCM) or a computer startup script in AD. In this case, my question is: what is the command line to import a STL file?

    2) Import the STL file into a group policy object (GPO) in Active Directory---into the trusted root CA list. Not sure if this option is possible without further testing.

    Another question: why is it that when I double-click the STL file, I see an error that says "This certificate trust list is not valid. The certificate that signed the list is not valid." Additionally, if I click "View Signature", and then click "View Certificate", and then click the "Certificate Path", I can see that the "Microsoft Certificate Trust List Publisher" certificate has an error: "This certificate does not appear to be valid for the selected purpose." What's the story with this error?

    Thanks,
    Frank

    Monday, January 10, 2011 9:52 PM
  • I haven't tested this yet... but maybe the following procedure will work. Can someone from Microsoft verify?

    First, a prerequisite: The "disconnected machine" needs to be able to access the following URLs to validate the certificate used to sign the STL:
    http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
    http://www.microsoft.com/pki/crl/products/MicCerTruLisPCA_2009-04-02.crl

    Next, download the authrootstl.cab file via:
    http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    and extract the CAB file.

    Put the .STL file on your "disconnected machine". Then, run the following command from an elevated command prompt:
    certutil.exe -f authroot.stl

    Did that update the Root CAs for you?

    Tuesday, January 11, 2011 12:59 AM
  • For anyone else having this issue:

    - Any Windows 7 machines that are behind a firewall/proxy (that is blocking access to http://download.windowsupdate.com/*), this problem may come up.

    - Work around: download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe and install the updated root certs.

    Tuesday, July 10, 2012 3:44 AM