Event ID 8, Crypt32, Root Certificate Updating - can we do it manually or centrally?
We have a proportion of our environment that we do not permit to access the Internet. Most of the rest of our systems also have to use a proxy server (non-Microsoft appliance) to obtain access to the Internet, but only to authenticated users. We get a lot of errors relating to http://support.microsoft.com/default.aspx?scid=kb;en-us;317541 - where the Event log reports it cannot access http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt. For the computers that can access the Internet through authenticated proxy, they can open IE and access this site with no problem. We have added this entire site to our proxy server to allow bypass, but because the proxy server authenticates by user and not computer account, it does not resolve this problem. We also have a series of SSL certificates that have been applied to systems, but because these are new certs, they are not trusted because the certificate cannot be verified up to a trusted root certification authority - because the clients cannot obtain updated trusted root certificates. We could download as .CER and install all the root certificates for our new SSL certs on all clients - but we have thousands of clients and lots of certs - and we don't want to have to do this each time we get a new cert or the vendor changes their CA. Is there a way for us to download and obtain the latest certificates automatically without allowing each client PC to do this themselves? We have XP SP3, Windows 7, 2003&2008&2008R2, SCCM, AD is 2003 with some 2008 R2 servers, we have an internal CA, all clients are domain members and get Group Policy.
October 24th, 2010 9:34pm

Hi, Thanks for posting in Microsoft TechNet Forum. Regarding how to download and obtain the latest certificates automatically without allowing each client PC to do this themselves, you could refer to the following link Add a trusted root certification authority to a Group Policy object: Security Configuration Editor Hope it helps. Regards, Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
October 26th, 2010 4:36pm

Hi, Thank for posting in Microsoft TechNet Forum. If you need further help, you could post here, and we are willing to help you. Regards, Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
October 28th, 2010 10:45pm

Is this helpful: http://admindiary.net/post/2011/02/08/Fixing-Crypt32-Event-ID-8-Failed-auto-update-retrieval-of-third-party-root-list.aspx
Free Windows Admin Tool Kit Click here and download it now
February 9th, 2011 2:18am

We have the capability to deploy Certificates via GPO, but did not know which certificates we need to mitigate this crypt32 warning. We attempted manually importing the CERs into a GPO and deploying them but that did not seem to mitigate the Event log warnings. Therefore I downloaded the March 2011 Windows Root Certificate Update from the Windows Catalog, and deployed the EXE to the affected systems. We are testing to see if this mitigates the Event ID 8 Crypt32 where Root Certificate can't access download.windowsupdate.com, which we disable and block
April 1st, 2011 2:51pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics