locked
Update Certificate Trust List using WSUS RRS feed

  • Question

  • Hey fellas!
    Inside of our domain we get certificate error on windows 7 clients because lack of GeoTrust DV SSL CA - G4 intermediate certificate.
    actually the chain is not trusted on those clients. When we install it manually the problem vanishes but in fact I am looking for a way to do it using windows update services. Is there any specific windows update package to do this ?
    Sunday, March 6, 2016 7:46 AM

Answers

  • Inside of our domain we get certificate error on windows 7 clients because lack of GeoTrust DV SSL CA - G4 intermediate certificate.
    actually the chain is not trusted on those clients.

    The intermediate CA's certificate would normally be sent by the server/appliance/system to which you are connecting (as well as its own certificate).

    There is normally no need to pre-distribute intermediate CA certs???


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Sunday, March 6, 2016 10:41 AM
    • Marked as answer by MTorabi Monday, March 7, 2016 6:40 AM
    Sunday, March 6, 2016 10:40 AM
  • client machines which can contact Microsoft.com will auto-download root certs from Microsoft, if the root CA owner participates in Microsoft's Trusted Root Certificate Program. This happens on-the-fly (e.g. if you point your browser at iTunes.com and want to download iTunes, you will see your computer identify the root cert it needs and it will automatically retrieve that root CA cert from the Microsoft TRP repository. (you'll see this in the CAPI2 log if you enable CAPI2 logging)

    Or, the automatic updater I mentioned above will periodically check/grab the CTL from Microsoft.com.

    Otherwise, you'll need to manually deploy the certs you need.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, March 7, 2016 7:55 AM

All replies

  • Am 06.03.2016 schrieb MTorabi:

    Inside of our domain we get certificate error on windows 7 clients because lack of GeoTrust DV SSL CA - G4 intermediate certificate.
    actually the chain is not trusted on those clients. When we install it manually the problem vanishes but in fact I am looking for a way to do it using windows update services. Is there any specific windows update package to do this ?

    Why you do this not with Group Policy Objects?

    Winfried


    WSUS Package Publisher: http://wsuspackagepublisher.codeplex.com/
    http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx
    http://www.wsuswiki.com/Home

    Sunday, March 6, 2016 10:11 AM
  • Have you deployed this automatic updater? https://support.microsoft.com/en-us/kb/2677070

    Or, if your machines do not auto-update-via-KB2677070-contact Microsoft @ ctldl.windowsupdate.com, do you manually manage CTLs with this method?
    https://support.microsoft.com/en-us/kb/2813430

    Reference: https://technet.microsoft.com/en-us/library/dn265983.aspx

    Reference: https://technet.microsoft.com/en-us/library/security/3123040.aspx

    Recommendation. 
    An automatic updater of certificate trust lists is included in supported editions of Windows 8, Windows 8.1, Windows RT, Windows RT 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, and Windows 10 Version 1511, and for devices running Windows Phone 8, Windows Phone 8.1, and Windows 10 Mobile. For these operating systems and devices, customers do not need to take any action as these systems and devices will be automatically protected.


    For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2 that are using the automatic updater of certificate trust lists (see Microsoft Knowledge Base Article 2677070 for details), customers do not need to take any action as these systems will be automatically protected.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Sunday, March 6, 2016 10:25 AM
  • Inside of our domain we get certificate error on windows 7 clients because lack of GeoTrust DV SSL CA - G4 intermediate certificate.
    actually the chain is not trusted on those clients.

    The intermediate CA's certificate would normally be sent by the server/appliance/system to which you are connecting (as well as its own certificate).

    There is normally no need to pre-distribute intermediate CA certs???


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Sunday, March 6, 2016 10:41 AM
    • Marked as answer by MTorabi Monday, March 7, 2016 6:40 AM
    Sunday, March 6, 2016 10:40 AM
  • Hi

    Thank you so much

    installing intermediate certificate on my server resolved my problem!

    but i wanna know what kind of updates inside wsus will update my trusted root list. I mean security updates or what?

    Thank you so much budd!

    Monday, March 7, 2016 6:40 AM
  • client machines which can contact Microsoft.com will auto-download root certs from Microsoft, if the root CA owner participates in Microsoft's Trusted Root Certificate Program. This happens on-the-fly (e.g. if you point your browser at iTunes.com and want to download iTunes, you will see your computer identify the root cert it needs and it will automatically retrieve that root CA cert from the Microsoft TRP repository. (you'll see this in the CAPI2 log if you enable CAPI2 logging)

    Or, the automatic updater I mentioned above will periodically check/grab the CTL from Microsoft.com.

    Otherwise, you'll need to manually deploy the certs you need.


    Don [doesn't work for MSFT, and they're probably glad about that ;]

    Monday, March 7, 2016 7:55 AM
  • Thank you so much for advanced information and the solution

    ;)

     
    Tuesday, March 8, 2016 5:10 AM