none
Certificate Store Size Limit

    Question

  • Hi,

    on a 2008 R2 server I see the following event logged:

    Protokollname: System
    Quelle: Schannel
    Datum: 04.01.2013 18:59:42
    Ereignis-ID: 36885
    Aufgabenkategorie:Keine
    Ebene: Warnung
    Schlüsselwörter:
    Benutzer: SYSTEM
    Computer: x
    Beschreibung:
    Bei der Nachfrage der Clientauthentifizierung sendet dieser Server eine Liste vertrauenswürdiger Zertifizierungsstellen an den Client. Der Client verwendet diese Liste, um ein Clientzertifikat auszuwählen, das für den Server vertrauenswürdig ist. Momentan vertraut dieser Server sehr vielen Zertifizierungsstellen, sodass die Liste zu lang ist. Die Liste wurde abgeschnitten. Der Administrator dieses Computers sollte die für Clientauthentifizierung vertrauenswürdigen Zertifizierungsstellen überprüfen und diejenigen entfernen, die nicht unbedingt als vertrauenswürdig eingestuft werden müssen.

    For VPN access, I already set

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

    to zero, which apparently resolved dial-in problems. But the warning in the event log still prevails.

    What are the recommended countermeasures? Should I start manually deleting certificates from the store?

    How can I find out how big the list is, to judge "how much over the limit" my store currently is?


    Regards, AngusMac

    Friday, January 04, 2013 6:45 PM

Answers

  • Keep in mind the Microsoft Root Certificate Program is primarily aimed at improving the security and user experience on clients, by allowing Extended Validation in Internet Explorer for example.  A server will almost never use most of the certificates registered with the Root Certificate Program.  In fact, MS warns about installing the update bundle for Root Certificates on servers in KB931125, which is the KB article that covers all of the Root CA updates packages issued by Microsoft, because it causes the issue you are having.  Therefore in general, I wouldn't push this update to any servers.

    I believe it is a better strategy on servers to ensure the required Root CA certificates are present for that server platform (in KB293781), then install certificates as required from third-party certificate authorities.  I would be most concerned with Verisign/Symantec (http://www.verisign.com/support/roots.html), Geotrust/Equifax (http://www.geotrust.com/resources/root-certificates/index.html) and Thawte (https://www.thawte.com/roots/index.html).  All of the CAs allow you to register for updates so you are notified when a certificate is replaced.  Note, I wouldn't install all of these, only those that are necessary for the server to do its job (this may take some research and testing).

    Do you have a test environment available?  I would first document the certificates you know you need in your environment, then in my test environment back up all the certificates, then purge all of them except those in KB293781 and a select few of the other major root CA certificates. 

    • Marked as answer by AngusMac Thursday, January 10, 2013 8:58 AM
    Tuesday, January 08, 2013 4:14 PM

All replies

  • The limit for the trusted certification authority list in Server 2008 R2 is 16KB.  Ideally, you would go through the list of trusted certification authorities on the server throwing this error and remove any that are not needed in your organization.  If you have removed all you can and still see this error, follow method 2 in the workaround section of this KB: http://support.microsoft.com/kb/933430.  This will get machines in your AD forest to stop trusting any root that isn't in the Enterprise Root Certification Authorities store.  As a result, this error will not appear anymore on domain systems, however you will have to regularly maintain trusted root CA certificates in the Enterprise Root Certification Authorities store via Group Policy.
    Friday, January 04, 2013 8:56 PM
  • Thanks for the reply:

    I'm only asking because I was explicitly cautioned _against_ removing _any_ certificates from the Windows store, even expired ones, and even if they were apparently not needed (a previous thread in this forum.) The reason given was that the certificates would also be used to check executables' signatures, where I can't possible know which ones are needed now or in the future.

    Also, towards the second part of the my question - how can I see how many certificates I have to delete? How can I find out how big the current list is?


    Regards, AngusMac


    • Edited by AngusMac Friday, January 04, 2013 10:42 PM
    Friday, January 04, 2013 10:41 PM
  • Correct, some certificates must not be removed from the trust root store, even if expired.  Here is the list of certificates required by the various flavors of windows: http://support.microsoft.com/kb/293781.  You definitely must not remove these certificates, others may be removed without affecting OS stability, but not necessarily application stability (it depends on what you have installed).

    I guess the best way to tell how big your trusted root list is would be to sniff traffic during the SSL/TLS handshake.  I would assume they are about 1KB each.  But note that not all certs in the trusted root certification authorities store are necessarily sent in this list.

    • Marked as answer by AngusMac Saturday, January 05, 2013 9:20 PM
    • Unmarked as answer by AngusMac Monday, January 07, 2013 2:16 PM
    Friday, January 04, 2013 11:12 PM
  • I now have shaved down the list from over 350 trusted CAs to less than 250, but still this warning appears.

    Approximatly how many certificates should there be on an average server?


    Regards, AngusMac

    Monday, January 07, 2013 2:16 PM
  • I typically would expect to see 20-50 depending on the business, possibly more.  However, 350 is abnormally high.

    Are these well-known CAs?  It sounds like your use model for X.509 is non-standard.

    Monday, January 07, 2013 4:36 PM
  • I think I'm on a major wrong track here: Which certificate store exactly do I need to watch? I checked "computer"/"trusted roots" - is this incorrect?

    Regards, AngusMac

    Monday, January 07, 2013 6:23 PM
  • I think I'm on a major wrong track here: Which certificate store exactly do I need to watch? I checked "computer"/"trusted roots" - is this incorrect?

    Regards, AngusMac

    In the snap-in you should have:

    Certificates (Local Computer)

    ----> Trusted Root Certification Authorities

    --------> Certificates


    • Edited by Neil Frick Monday, January 07, 2013 7:38 PM
    Monday, January 07, 2013 7:38 PM
  • Ok, then I was looking in the right place after all (my system is German language so my English naming wasn't accurate.)

    Yes, this store currently contains 246 certificates. It used to be 357 certificates before I started deleting the ones obviously not needed.

    All are from - more or less - well known authorities, e.g. issued by Thawte, Verisign, GeoTrust, D-Trust (to name the most frequent.) Most are still valid for years to come.

    What would happen if I deleted all of them (save for the few essential ones by Microsoft and Verisign?) Would they automatically be reintroduced when the next root update from MS was published? Or would they automatically be retrieved if an executable should surface that was signed by one of them, or if IE needed to establish a SSL connection to a site?


    Regards, AngusMac






    • Edited by AngusMac Monday, January 07, 2013 11:34 PM
    Monday, January 07, 2013 11:28 PM
  • Keep in mind the Microsoft Root Certificate Program is primarily aimed at improving the security and user experience on clients, by allowing Extended Validation in Internet Explorer for example.  A server will almost never use most of the certificates registered with the Root Certificate Program.  In fact, MS warns about installing the update bundle for Root Certificates on servers in KB931125, which is the KB article that covers all of the Root CA updates packages issued by Microsoft, because it causes the issue you are having.  Therefore in general, I wouldn't push this update to any servers.

    I believe it is a better strategy on servers to ensure the required Root CA certificates are present for that server platform (in KB293781), then install certificates as required from third-party certificate authorities.  I would be most concerned with Verisign/Symantec (http://www.verisign.com/support/roots.html), Geotrust/Equifax (http://www.geotrust.com/resources/root-certificates/index.html) and Thawte (https://www.thawte.com/roots/index.html).  All of the CAs allow you to register for updates so you are notified when a certificate is replaced.  Note, I wouldn't install all of these, only those that are necessary for the server to do its job (this may take some research and testing).

    Do you have a test environment available?  I would first document the certificates you know you need in your environment, then in my test environment back up all the certificates, then purge all of them except those in KB293781 and a select few of the other major root CA certificates. 

    • Marked as answer by AngusMac Thursday, January 10, 2013 8:58 AM
    Tuesday, January 08, 2013 4:14 PM
  • Of course - that's why I have so many certificates there: The root certificate updates have been dutyfully applied, even on the server. WSUS reported the update as "required", so it was accepted.

    I will proceed removing (almost) all certificates from the server and henceforth not install the root certificate updates on the server.

    Thank you for your help!


    Regards, AngusMac

    Thursday, January 10, 2013 9:10 AM