none
crypt32 errors in event viewer. ID 11 and ID 8

    Question

  • Hello,
    We are getting a lot of these messages on our server. I've looked all over the internet and can't really find a good solution. Does anyone know how I can resolve these isssue.

    Event Type: Error
    Event Source: crypt32
    Event Category: None
    Event ID: 11
    Date:  7/13/2010
    Time:  2:28:53 AM
    User:  N/A
    Computer: Server
    Description:
    Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

    any help would be greatly appreciated.
    Thanks,

    K

    Tuesday, July 13, 2010 3:29 PM

Answers

  • Hi,
     
    How is your CAPI2 log looking? While mine was collecting events, the
    majority of the errors that are being logged are for an HRESULT of
    80092013, "The revocation function was unable to check revocation
    because the revocation server was offline.", during a "Build Chain" or
    "Verify Revocation" operation. This isn't really a big deal, just means
    that one of the publishers ahs one or more servers down.
     
    It might be possible that there are problems installing new root
    certificates if the CRL or OCSP server cannot be contacted to verify the
    validity. The latest actual update for root certificates is here,
     
    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e4f9b573-66d7-4dda-95d5-26c7d0f6c652
     
    but this is only for XP SP2/SP3. Looking at the associated KB
    (http://support.microsoft.com/kb/931125), it appears that server SKUs
    have a limit to the number of trusted CAs and installing the update
    might overrun this limit, causing other problems. One alternative is to
    disable automatic updates for root certificates,
     
    http://technet.microsoft.com/en-us/library/cc738920(WS.10).aspx
     
    Alternatively, digging through this post
     
    http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/acdf1b25-dace-4cfc-8a3d-cb961c1031cc
     
    One possible method of working with this seems to be downloading this file,
     
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
     
    Open the cab file and extract the authroot.stl file. Double click and it
    might say that it is not valid. The next recommendation involves backing
    up and deleting the contents of
     
    %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
    %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
     
     
    and backing up and deleting the certificates under this registry key
     
    HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
     
     
    and restarting the server. Note that under the Certificates key there
    are keys that probably contain the thumbprint of the certificate (ex.
    02FAF3E291435468607857694DF5E45B68851868). I think that each of these
    keys probably needs to be removed.
     
    This seems to have worked for most people as the thread dies shortly after.
     
     

    -- Mike Burr
    • Marked as answer by Karen Ji Wednesday, July 21, 2010 7:41 AM
    Wednesday, July 14, 2010 2:19 PM

All replies

  • Hi,
     
    We can explore the problem further by enabling the CAPI2 log,
     
    Start -> Control Panel -> Administrative Tools -> Event Viewer
     
    Expand Applications and Services\Microsoft\Windows\CAPI2
     
    Right click the Operational log and click Enable Log. After some events
    are generated, can you post the specific errors and warnings that you
    are getting?
     

    -- Mike Burr
    Tuesday, July 13, 2010 5:38 PM
  • Hi Mike,

    This is a Windows 2003 server. Is there a way to get this logging with Win 2003 Std. I see where it is located on Windows 2008. Please advise?

    Thanks,

    -K

    Tuesday, July 13, 2010 6:25 PM
  • I've been looking around and I don't think the same logging is available
    in 2003. Is this issue isolated to your 2003 server?
     

    -- Mike Burr
    Tuesday, July 13, 2010 7:52 PM
  • Well we have this issue on 2003 and 2008. I've turned on the logging in 2008, but not on 2003.
    Tuesday, July 13, 2010 8:24 PM
  • Hi,
     
    How is your CAPI2 log looking? While mine was collecting events, the
    majority of the errors that are being logged are for an HRESULT of
    80092013, "The revocation function was unable to check revocation
    because the revocation server was offline.", during a "Build Chain" or
    "Verify Revocation" operation. This isn't really a big deal, just means
    that one of the publishers ahs one or more servers down.
     
    It might be possible that there are problems installing new root
    certificates if the CRL or OCSP server cannot be contacted to verify the
    validity. The latest actual update for root certificates is here,
     
    http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=e4f9b573-66d7-4dda-95d5-26c7d0f6c652
     
    but this is only for XP SP2/SP3. Looking at the associated KB
    (http://support.microsoft.com/kb/931125), it appears that server SKUs
    have a limit to the number of trusted CAs and installing the update
    might overrun this limit, causing other problems. One alternative is to
    disable automatic updates for root certificates,
     
    http://technet.microsoft.com/en-us/library/cc738920(WS.10).aspx
     
    Alternatively, digging through this post
     
    http://social.answers.microsoft.com/Forums/en-US/vistawu/thread/acdf1b25-dace-4cfc-8a3d-cb961c1031cc
     
    One possible method of working with this seems to be downloading this file,
     
    http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
     
    Open the cab file and extract the authroot.stl file. Double click and it
    might say that it is not valid. The next recommendation involves backing
    up and deleting the contents of
     
    %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
    %systemdrive%\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
     
     
    and backing up and deleting the certificates under this registry key
     
    HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates\AuthRoot\Certificates
     
     
    and restarting the server. Note that under the Certificates key there
    are keys that probably contain the thumbprint of the certificate (ex.
    02FAF3E291435468607857694DF5E45B68851868). I think that each of these
    keys probably needs to be removed.
     
    This seems to have worked for most people as the thread dies shortly after.
     
     

    -- Mike Burr
    • Marked as answer by Karen Ji Wednesday, July 21, 2010 7:41 AM
    Wednesday, July 14, 2010 2:19 PM