Actually, due to proxy problems, we have prohibited Windows clients from automatically updating their Trusted Root Certificates Authorities. We manage this by deploying the "Update for Root Certificates [November 2009] (KB931125)" update using WSUS.
Most of our workstations are Windows XP, and now we are working on deploying Windows 7. How can we handle the problem described above?
I mean, the Update for Root Certificates is designed for Windows XP. I see that Windows 7 workstations won't receive it from WSUS. We tried to manually install the update on some machines and it worked, but it will be a hard task to update all machines manually :o)
Tks in advance,
I thought that too, but some web sites here uses Usertrust certificates, and for some reason they are not trusted by an out-of-box Windows 7. The web sites are only trusted after manually installing the root certificate in the Trusted Root store (which is painfull for the users to do) or installing the update above.
Currently we cannot download the update package manually. It needs to be installed via Windows Update. Therefore as you mentioned, you need to install a sample Windows 7 system and apply that update. Then get the package from the system.
Arthur Xie - MSFT
Just to let you know, I've managed how to solve this problem.
On Windows XP, the "automatic update of root certificates" feature doesn't know how to work behind a proxy. It tries to directly download the new root certificates, but gets blocked by our proxy. To stop the crypt32 errors from showing up on Event Log, we disabled this feature (by GPO).
But now on Windows 7 I've just found that this same feature knows that it's behind and proxy, and even asks for authentication. The update is automatically triggered every time the user faces a still unknow certification authority. I just re-enabled the feature on our domain policy, and it worked perfectly!
Some additional info: http://technet.microsoft.com/en-us/library/cc749331%28WS.10%29.aspx
BTW, now I'm pretty sure that there isn't any kind of KB931125 for Windows 7
I'm in agreement with you that KB931125 doesn't seem to be applicable to Windows 7. As far as I know, the CryptoAPI 2.0 (Cryptography Next Generation -- CNG) engine in Windows 7 automatically engages an update process in the background when it encounters a certificate that it doesn't trust. If the computer has access to the Internet, then it will automatically obtain the latest trusted root CA cab file from:
What's interesting is that if I download the above file manually and then extract it, I can right-click on the certificate trust list (STL) file and click install CTL. So, theoretically if I needed to push the trusted root CA updates to systems that can't access the above URL, I could download this CAB file, and extract it. But then I think we're at a crossroads of two options:
1) Import the STL file into a package distribution mechanism such as System Center Configuration Manager (SCCM) or a computer startup script in AD. In this case, my question is: what is the command line to import a STL file?
2) Import the STL file into a group policy object (GPO) in Active Directory---into the trusted root CA list. Not sure if this option is possible without further testing.
Another question: why is it that when I double-click the STL file, I see an error that says "This certificate trust list is not valid. The certificate that signed the list is not valid." Additionally, if I click "View Signature", and then click "View Certificate", and then click the "Certificate Path", I can see that the "Microsoft Certificate Trust List Publisher" certificate has an error: "This certificate does not appear to be valid for the selected purpose." What's the story with this error?
I haven't tested this yet... but maybe the following procedure will work. Can someone from Microsoft verify?
First, a prerequisite: The "disconnected machine" needs to be able to access the following URLs to validate the certificate used to sign the STL:
Next, download the authrootstl.cab file via:
and extract the CAB file.
Put the .STL file on your "disconnected machine". Then, run the following command from an elevated command prompt:
certutil.exe -f authroot.stl
Did that update the Root CAs for you?
- Edited by Frank E Lesniak Tuesday, January 11, 2011 1:01 AM Formatting
For anyone else having this issue:
- Any Windows 7 machines that are behind a firewall/proxy (that is blocking access to http://download.windowsupdate.com/*), this problem may come up.
- Work around: download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe and install the updated root certs.