none
Updated Root Certificates windows update for Windows 2008 R2 Server Kb931125

    Question

  • Hey All,

    I was hoping you may be able to assist me in updating the root certificates for my Windows 2008 R2 servers. 

    I was looking to update the root certificates for all our server estate and it appears that I can do this using WSUS/windows update for Windows 2008 via a windows update cab file from this url, http://catalog.update.microsoft.com/v7/site/Search.aspx?q=931125.

    However this site only lists Windows 2008 and not Windows 2008R2. The following url describes updates for Windows 2008 R2 http://support.microsoft.com/kb/931125

    Windows Server 2003, Windows Server 2008, Windows Server 2008 R2 The automatic root update mechanism is enabled on Windows Server 2008 and later, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partially, equivalent to the support on Windows XP.”


    I’d prefer to use WSUS to deploy as opposed to the method for disconnected networks downloading CAB files and using Group Policy, as WSUS would automate future updates, whereas the method for disconnected networks would require regular maintenance.

    We have disabled access to Windows Update through group policy, so devices can’t automatically update their root certificates directly from the internet.

    Any suggestions, please let me know,

    Cheers

    Andrew

    Friday, June 15, 2012 2:41 AM

Answers

  • Generally speaking...

    KB931125 should *NOT* be installed to Server operating systems.

    If a KB931125 update package contains one or more root certificates that are needed by a server systems, those certificate should be exported from a Windows 7 system that has been updated with the latest root certificates.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, May 24, 2013 5:04 PM
    Moderator
  • Maybe i didn't explain myself very well

    My Exchange Servers are showing an event 36885

    http://www.eventid.net/display.asp?eventid=36885&eventno=8846&source=Schannel&phase=1

    This seems to relate to having the KB931125 installed on those servers by accident due to microsoft accidentally making them available for servers and i have approved them via WSUS.

    Correct. Although it's not the KB931125 that specifically causes that problem, but rather having too many certificates in the Trusted Root Certificate Authorities store. Then, when the store is queried, SCHANNEL craps out because it can only transfer 16k of data, and the cert store has more than 16k of data in it.

    The scenario is discussed in further detail in KB2801679.  

    My question is really whether i should still follow the instructions here:

    http://blogs.technet.com/b/windowsserver/archive/2013/01/12/fix-available-for-root-certificate-update-issue-on-windows-server.aspx

    Yes, you need to fix this. There are three ways you can fix it:

    Use the FIX-IT solution in the KB article. If you only installed the update to one or a few machines, then the FIX-IT solution will likely be the best approach, but keep in mind what the FIX-IT solution does. It destroys the entire certificate store. That's likely to cause as much harm, if not more, unless you have a plan in place for recovering the certificates that are needed.

    The second way you can approach it is to use the manual method described in the KB article (essentially what the FIX-IT does), which is to delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates registry key. But, as noted above, to my way of thinking that's a pretty radical thing to kill off the entire certificate store, and almost certainly there will be negative implications.

    The third methodology -- the one I've been using and recommending for four years, since I first encountered these issues with SCHANNEL and the size limitations is to load up the MMC Certificates snap-in and surgically delete the certificates that are not needed. I focus on the following certificates:

    • All certificates that are expired.
    • All certificates that are about to expire (there are probably already replacements in the cert store).
    • All certificates from foreign entities that I will never do business with.
    • All certificates from other entities that I will likely never do business with.
    • And if I still need to kill some more off, I look at certificates with exceptionally long expiration dates (or especially old creation dates), because these are probably weak certificates issued back when 10-year and 20-year certificates were not considered problematic. (Assuming that KB2661254  hasn't already been installed and revoked all of them anyway.) Even if they're 1k-bit certs, if they have a 20-year expiration, they've likely (hopefully!) been replaced with a new cert with a shorter expiration date.

    The key thing to keep in mind is that by deleting individual certificates that you know you don't need, you can hardly do any harm. Even if you did, it's trivial to obtain and replace the certificate, if you know what it is you deleted. Ultimately if you get the certificate store around 180-200 certificates, then the store size will likely be <16k and the TLS/SSL problems will go away.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, June 14, 2013 4:32 PM
    Moderator

All replies

  • All of this is somewhat moot, given recent developments, but the point of the above is that KB931125 is only applicable to Windows XP and Windows Server 2003 because those systems did NOT support automatic updating of the Root Certificates store.

    Vista and later systems do, by enabling the OS Feature "Update Root Certificates", and ensuring the client system has Internet access on port 80 (typically only an issue for Windows Server systems). Disabling access to Windows Update does not preclude the Update Root Certificates functionality. Blocking the firewall port would.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    Product Manager, SolarWinds
    Microsoft MVP - Software Distribution (2005-2012)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin

    Wednesday, June 27, 2012 11:39 PM
    Moderator
  • Thanks for the response Lawrence, 

    I didn't realise that disabling Windows Update doesn't preclude Update Root Certificate functionality. I have some Windows 2008 R2 servers within the DMZ that don't have direct internet access, so was hoping to use WSUS to update them. WSUS seems to be able to update Windows 2008 servers, however not R2 servers as there doesn't appear to be an update for them specifically. 

    Looks like I may have to use Group Policy as an interim measure.

    Cheers again,

    Andrew

    Thursday, June 28, 2012 9:17 AM
  • Hi, I too have the same issue of not being able to install Root Certificates on disconnectd 2008 R2 machines.  However, I have a question.  I understand how to publish and update these via group policy, but how do I download them to being with?  I have no 2008R2 Server that has connectivity to the internet so I cannot update them to begin with and as was mentioned, there is no download package available.  So, does this mean that I Must connect a 2008R2 machine to the internet to download the Root Update package to begin with, or is there another way?

    Thanks,

    Todd

    Tuesday, July 24, 2012 9:56 PM
  • Todd,

    I believe that this URL will allow you to download the files themselves, http://www.microsoft.com/en-us/download/details.aspx?id=29434, You thereafter install the exe, which loads them into the Trusted Root CAs of your machine. You can then export them through Certificates (Computer) mmc and then use GPOs to import them into the Group Policy. I believe you should be able to complete this on a Windows 2008 server without issue, although I'd do the GPO importing on a Windows 2008 R2 machine to reduce the chance of GPO corruption.

    HTH

    Regards

    Andrew

    Wednesday, July 25, 2012 12:48 AM
  • Generally speaking...

    KB931125 should *NOT* be installed to Server operating systems.

    If a KB931125 update package contains one or more root certificates that are needed by a server systems, those certificate should be exported from a Windows 7 system that has been updated with the latest root certificates.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, May 24, 2013 5:04 PM
    Moderator
  • Hi Lawrence

    Unfortunately 931125 was installed on my exchange 2010 servers.

    I am not having any issues that I know about, at least nothing has happened since it was installed December 2012 (months ago)

    Can you tell me, if I run the fixit that removes the certificates, will it break my exchange servers or will they automatically download the required certs through the root certificate update mechanism built in windows 2008 r2.

    I want to remove the event id that is being generated in the system log

    Monday, June 10, 2013 11:29 AM
  • Can you tell me, if I run the fixit that removes the certificates

    I don't know anything about a fixit that removes certificates. Load up the Certificates MMC and delete the ones you don't need.
    will it break my exchange servers
    If you delete the wrong certificates, I would imagine so.
    will they automatically download the required certs through the root certificate update mechanism built in windows 2008 r2.
    I suspect if they've already been synchronized, and then you delete them, they will not be replaced again.

    I want to remove the event id that is being generated in the system log

    What EventID? I thought you just said that you're not having any issues?

    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Monday, June 10, 2013 5:52 PM
    Moderator
  • Lawrence

    Maybe i didn't explain myself very well

    My Exchange Servers are showing an event 36885

    This seems to relate to having the KB931125 installed on those servers by accident due to microsoft accidentally making them available for servers and i have approved them via WSUS.

    They were installed in dec 2012 and i havnt had any issue per-say

    My question is really whether i should still follow the instructions here:

    http://blogs.technet.com/b/windowsserver/archive/2013/01/12/fix-available-for-root-certificate-update-issue-on-windows-server.aspx

    This being the FIX-IT solution - http://support.microsoft.com/kb/2801679

    What will the immediate affect be if i remove the Third-party Root Certification Authorities.

    Is this safe to do, guess im just being over overcautious

    Thanks

    Chris

    Friday, June 14, 2013 1:04 PM
  • Maybe i didn't explain myself very well

    My Exchange Servers are showing an event 36885

    http://www.eventid.net/display.asp?eventid=36885&eventno=8846&source=Schannel&phase=1

    This seems to relate to having the KB931125 installed on those servers by accident due to microsoft accidentally making them available for servers and i have approved them via WSUS.

    Correct. Although it's not the KB931125 that specifically causes that problem, but rather having too many certificates in the Trusted Root Certificate Authorities store. Then, when the store is queried, SCHANNEL craps out because it can only transfer 16k of data, and the cert store has more than 16k of data in it.

    The scenario is discussed in further detail in KB2801679.  

    My question is really whether i should still follow the instructions here:

    http://blogs.technet.com/b/windowsserver/archive/2013/01/12/fix-available-for-root-certificate-update-issue-on-windows-server.aspx

    Yes, you need to fix this. There are three ways you can fix it:

    Use the FIX-IT solution in the KB article. If you only installed the update to one or a few machines, then the FIX-IT solution will likely be the best approach, but keep in mind what the FIX-IT solution does. It destroys the entire certificate store. That's likely to cause as much harm, if not more, unless you have a plan in place for recovering the certificates that are needed.

    The second way you can approach it is to use the manual method described in the KB article (essentially what the FIX-IT does), which is to delete the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates registry key. But, as noted above, to my way of thinking that's a pretty radical thing to kill off the entire certificate store, and almost certainly there will be negative implications.

    The third methodology -- the one I've been using and recommending for four years, since I first encountered these issues with SCHANNEL and the size limitations is to load up the MMC Certificates snap-in and surgically delete the certificates that are not needed. I focus on the following certificates:

    • All certificates that are expired.
    • All certificates that are about to expire (there are probably already replacements in the cert store).
    • All certificates from foreign entities that I will never do business with.
    • All certificates from other entities that I will likely never do business with.
    • And if I still need to kill some more off, I look at certificates with exceptionally long expiration dates (or especially old creation dates), because these are probably weak certificates issued back when 10-year and 20-year certificates were not considered problematic. (Assuming that KB2661254  hasn't already been installed and revoked all of them anyway.) Even if they're 1k-bit certs, if they have a 20-year expiration, they've likely (hopefully!) been replaced with a new cert with a shorter expiration date.

    The key thing to keep in mind is that by deleting individual certificates that you know you don't need, you can hardly do any harm. Even if you did, it's trivial to obtain and replace the certificate, if you know what it is you deleted. Ultimately if you get the certificate store around 180-200 certificates, then the store size will likely be <16k and the TLS/SSL problems will go away.


    Lawrence Garvin, M.S., MCITP:EA, MCDBA, MCSA
    SolarWinds Head Geek
    Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2013)
    My MVP Profile: http://mvp.support.microsoft.com/profile/Lawrence.Garvin
    http://www.solarwinds.com/gotmicrosoft
    The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

    Friday, June 14, 2013 4:32 PM
    Moderator
  • Lawrence

    I appreciate the time you have spent responding to my question, my concerns have been founded and im glad you have that option 3 looks like I will need to spend some time looking at this asap.

    So thanks again for clarifying this for me

    Best Regards

    Chris

    Monday, June 17, 2013 9:44 AM