locked
WIN7 authroot.stl & disallowedcert.stl / CTL signed with improper certificate -> "certificate is not valid for the requested usage" RRS feed

  • Question

  • seems that "Microsoft Certificate Trust List Publisher" Certificate Valid:01.27.2017-04.12.2018 is missing following EKU 'Microsoft Trust List Signing' (1.3.6.1.4.1.311.10.3.1) ?!

    -ExtendedKeyUsage
         -Usage
              [ oid] 1.3.6.1.4.1.311.10.3.1
              [ name] Microsoft Trust List Signing

    -ErrorStatus
         [ value] 10
         [ CERT_TRUST_IS_NOT_VALID_FOR_USAGE] true

    Note: KB2328240 is imho not permanently fixing this problem ! (*curing only some derivated symptoms)

    Monday, March 19, 2018 6:04 AM

All replies

  • Hi,

    From the reference, you can import the certificate from other machine, which is with the same version as yours.

    https://answers.microsoft.com/en-us/ie/forum/ie8-windows_7/trusted-root-certificates-and-trusted-publishers/4da68075-51c7-41dd-8cb5-a38f88f3721a

    As mentioned in the reference "Find a Windows 7,  that has all of its certificates intact.  Run MMC and add the certificates snapin for the local computer.  Browse to the Trusted Root Certificates and find the "GTE CyberTrust" certificates.  Highlight and select all of the GTE certificates and export them to a file.  Copy this file to a flash drive, email it to yourself, etc..

    From the broken Windows 7 computer run MMC and add the certificates snapin for the local computer.  Browse to the Trusted Root Certificates and import the cert file that contains the GTE certificates.  Now you can receive Windows Updates and amazingly you will now get all of the missing certificates."


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, March 20, 2018 9:50 AM
  • Hi Vivian,

    thx for reply ;-)

    the problem is not on our side, as it is on behalf of microsoft !

    If downloading the authroot.cab and disallowedcert.cab from official MicrosoftDistributionPoint - the .stl Files inside these two .cab files are digitally signed with the mentioned microsoft-certificate missing the enhancedkeyusage (1.3.6.1.4.1.311.10.3.1) resulting in CAPI2 Error as described above

    kr Mike

    Tuesday, March 20, 2018 10:05 AM
  • Hi Mike,

    Based on the situation, I will forward this information to the appropriate department through our internal channel. Both the Microsoft Product Team and Development Team take into consideration all suggestions and feedback for future releases.

     Thank you for your understanding and cooperation. Your information is of great importance for improving our product and service.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, March 21, 2018 6:41 AM
  • Hi Vivian,

    the problem still exists !

    any news so far ?

    Thursday, April 26, 2018 11:54 AM
  • Can you provide where and what you download so that I can reproduce your problem on my test environment?

    The download link and content is required and what you did cause the error show in Event Log?


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, April 27, 2018 7:02 AM
  • <http://>ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

    <http://>ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

    Download these two .cab files, than open them ! within you'll find the .stl files, open them and you'll see that the certificate used to sign them is not valid for signing "Trust-Lists"

    Kr

    Monday, April 30, 2018 11:34 AM
  • From the blog, we can try to update the trusted root certificates

    https://www.sysadmins.lv/blog-en/dump-authroot-and-disallowed-certificates-with-powershell.aspx

    Note: this is a 3rd party link, we don't have any warranties on this website. It's just for your convenience.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 2, 2018 9:39 AM
  • Hi Vivian,

    We don't want to dump them - we'd love to download them from official-sources with the OS build-in mechanism's - so why Microsoft is not able to sign their own .stl files with correct certificates valid for this usage ???

    kr

    Wednesday, May 2, 2018 9:48 AM
  • The issue has been reported somewhere else and haven't found an explanation yet.

    https://www.vistax64.com/threads/microsoft-s-silent-trusted-root-authority-update-is-invalid.200060/

    https://social.technet.microsoft.com/Forums/windows/de-DE/662d0db3-275c-4c4a-adde-17163e71d45c/update-for-root-certificates?forum=w7itprogeneral


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 3, 2018 9:01 AM