Hi, We Have 2 tier PKI Infrastructure for Wireless users connecting through RADIUS Server. Recently we got the news about Diginotar Certificate that They have been attacked and as malifide certificates are now used on the internet more and more companies are now revoking DigiNotar root certificates. Refer the link : http://translate.google.com/translate?sl=nl&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Fwww.rijksoverheid.nl%2Fnieuws%2F2011%2F09%2F03%2Foverheid-zegt-vertrouwen-in-de-certificaten-van-diginotar-op.html As we know it will not affect Windows Vista, Windows 7, Windows 2008 machine because Microsoft has removed the DigiNotar root certificate from the Microsoft Certificate Trust List. Refer link : http://www.microsoft.com/technet/security/advisory/2607712.mspx But we have lot of client of Windows XP as well. So kindly suggest what to do for XP client as Diginotar certificate is already there in Trusted Root Certificate Authorities.

Ajit, If necessary, you can always programmatically remove the DigiNotar certificate using .NET and some type of deployment product (even GPO would suffice for delivery). As an example, I have some code that may fit what you need. Take a look, review and make modifications for your environment: http://www.devtrends.com/index.php/remove-diginotar-certificate-with-vb-net/

Please check the out of band update (Windows XP included!): Article ID: 2607712 - Last Review: September 6, 2011 - Revision: 1.0 Microsoft Security Advisory: Fraudulent digital certificates could allow spoofing http://support.microsoft.com/kb/2607712 /Hasain

Please check the out of band update (Windows XP included!): Article ID: 2607712 - Last Review: September 6, 2011 - Revision: 1.0 Microsoft Security Advisory: Fraudulent digital certificates could allow spoofing http://support.microsoft.com/kb/2607712 /Hasain Why does it update crypt32.dll? Is removing the relevant certs form the trusted store insufficient?

I am gonna use http://support.microsoft.com/kb/2607712 patch for our environment. Thanks all for your reply..

After had applied the Microsoft Security Patches September 2011, also KB2616676 (DigiNotar certificates untrusting) our Windows machine show in the Untrusted Certificates 6 DigiNotar items. According to http://technet.microsoft.com/en-us/security/advisory/2607712 there should be 11 such items. What is wrong?

The problem is that DigiNotar is presented in 3 categories: DigiNotar personal roots: Issuer Subject ------ ------- DigiNotar Root CA DigiNotar Root CA DigiNotar Root CA G2 DigiNotar Root CA G2 These roots weren't participated in the root certification program for Windows XP/Windows Server 2003. In addition DigiNotar Root CA G2 is SHA2 root. SHA2 certificates are not supported by Windows XP and Windows Server 2003. DigiNotar intermediate CAs signed by Netherlands government roots: Issuer Subject ------ ------- Staat der Nederlanden Overheid CA DigiNotar PKIoverheid CA Overheid Staat der Nederlanden Organisatie CA - G2 DigiNotar PKIoverheid CA Organisatie - G2 Staat der Nederlanden Overheid CA DigiNotar PKIoverheid CA Overheid en Bedrijven Netherland government root weren't participated in the root certification program for Windows XP/Windows Server 2003. Again DigiNotar PKIoverheid CA Organisatie - G2 is SHA2 CA. As far as I understand CA certificates specified above was installed only on Windows Vista+. Netherland government roots are still here, but they all are SHA2. DigiNotar CAs signed by common roots: Issuer Subject ------ ------- Entrust.net Secure Server Certification Authority DigiNotar Services 1024 CA GTE CyberTrust Global Root DigiNotar Cyber CA GTE CyberTrust Global Root DigiNotar Cyber CA Entrust.net Secure Server Certification Authority DigiNotar Root CA Entrust.net Secure Server Certification Authority DigiNotar Root CA GTE CyberTrust Global Root DigiNotar Cyber CA These CAs are general purpose CAs that were trusted by all Microsoft Windows systems. These 6 certificates are explicitly untrusted on all Windows platforms. And additional 5 certificates are explicitly untrusted on Windows Vista+ systems. HTH My weblog: http://en-us.sysadmins.lv PowerShell PKI Module: http://pspki.codeplex.com Windows PKI reference: on TechNet wiki

The problem is that ... Anyhow, in Microsoft Security Advisory (2607712) edition from September, the 13th Microsoft claimed "In the Certificates MMC snap-in, verify that the following certificates have been added to the Untrusted Certificates folder: <list of 11 certificates follows>". Now, upon the update from September, the 19th this issue is clarified. The patch from 13th Sept. didn't work properly. For more details see -------- Original Message -------- Subject: Microsoft Security Advisory Notification Date: Mon, 19 Sep 2011 13:50:00 -0600 From: Microsoft <securitynotifications@e-mail.microsoft.com> Reply-To: Microsoft <reply-fe9415707260027970-887307_TEXT-372202264-188147-248@email.microsoftemail.com> To: <blablabla@blabla.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ******************************************************************** Title: Microsoft Security Advisory Notification Issued: September 19, 2011 ******************************************************************** Security Advisories Updated or Released Today ============================================== * Microsoft Security Advisory (2607712) - Title: Fraudulent Digital Certificates Could Allow Spoofing - http://technet.microsoft.com/security/advisory/2607712 - Revision Note: V5.0 (September 19, 2011): Revised to announce the rerelease of the KB2616676 update. See the Update FAQ in this advisory for more information. Other Information ================= ... The FAQ added on Sept. the 19th: Why was this advisory revised September 19, 2011? Microsoft revised this advisory to announce the rerelease of the KB2616676 update. The rerelease is now cumulative and addresses a known issue described in Microsoft Knowledge Base Article 2616676 where the original KB2616676 update, on supported editions of Windows XP and Windows Server 2003 only, did not contain the digital certificates included in the KB2607712 and KB2524375 updates. Customers of supported editions of Windows XP and Windows Server 2003 should apply the rereleased version of the KB2616676 update to be protected against the use of the fraudulent certificates as specified in this advisory. Customers of supported editions of Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2 are not affected by this rerelease. Note The update will not be offered to customers of supported editions of Windows XP and Windows Server 2003 in the case where the original KB2616676, KB2607712, and KB2524375 updates have all been previously applied as the rerelease package is cumulative and contains all changes from these three update packages. The majority of customers have automatic updating enabled and will not need to take any action because the rereleased KB2616676 update will be downloaded and installed automatically. Regards