Update for Root Certificates
Hi, Actually, due to proxy problems, we have prohibited Windows clients from automatically updating their Trusted Root Certificates Authorities. We manage this by deploying the "Update for Root Certificates [November 2009] (KB931125)" update using WSUS. Most of our workstations are Windows XP, and now we are working on deploying Windows 7. How can we handle the problem described above? I mean, the Update for Root Certificates is designed for Windows XP. I see that Windows 7 workstations won't receive it from WSUS. We tried to manually install the update on some machines and it worked, but it will be a hard task to update all machines manually :o) Tks in advance,Eduardo
March 23rd, 2010 6:11pm

From what I see, this update is only needed for XP PCs and Windows 7 doesn't need it."A programmer is just a tool which converts caffeine into code" CLIP- Stellvertreter http://www.winvistaside.de/
Free Windows Admin Tool Kit Click here and download it now
March 23rd, 2010 6:52pm

I thought that too, but some web sites here uses Usertrust certificates, and for some reason they are not trusted by an out-of-box Windows 7. The web sites are only trusted after manually installing the root certificate in the Trusted Root store (which is painfull for the users to do) or installing the update above.
March 24th, 2010 3:46pm

You can download the package of KB931125, then use the command “DISM” to add this package to the Windows 7 image. Then you may deploy Windows 7 with this image. Operating System Package Servicing CommandsArthur Xie - MSFT
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2010 11:42am

Ok, it's a good option. But I still need to update the Windows 7 desktops that are already running :) The perfect resolution for me would be an "Update for Root Certificates" for Windows 7. Anyway, thanks for the info Arthur!
April 2nd, 2010 1:29am

Hi, Currently we cannot download the update package manually. It needs to be installed via Windows Update. Therefore as you mentioned, you need to install a sample Windows 7 system and apply that update. Then get the package from the system.Arthur Xie - MSFT
Free Windows Admin Tool Kit Click here and download it now
April 2nd, 2010 7:55am

Sorry, but what's the name of this package on Windows 7? I've searched for it, but couldn't find it. We have WSUS here too, but again I couldn't find the package in it. The package "KB931125" is the one that's only for Windows XP...
April 8th, 2010 5:32pm

Just to let you know, I've managed how to solve this problem. On Windows XP, the "automatic update of root certificates" feature doesn't know how to work behind a proxy. It tries to directly download the new root certificates, but gets blocked by our proxy. To stop the crypt32 errors from showing up on Event Log, we disabled this feature (by GPO). But now on Windows 7 I've just found that this same feature knows that it's behind and proxy, and even asks for authentication. The update is automatically triggered every time the user faces a still unknow certification authority. I just re-enabled the feature on our domain policy, and it worked perfectly! Some additional info: http://technet.microsoft.com/en-us/library/cc749331%28WS.10%29.aspx BTW, now I'm pretty sure that there isn't any kind of KB931125 for Windows 7
Free Windows Admin Tool Kit Click here and download it now
June 7th, 2010 4:30pm

Eduardo, I'm in agreement with you that KB931125 doesn't seem to be applicable to Windows 7. As far as I know, the CryptoAPI 2.0 (Cryptography Next Generation -- CNG) engine in Windows 7 automatically engages an update process in the background when it encounters a certificate that it doesn't trust. If the computer has access to the Internet, then it will automatically obtain the latest trusted root CA cab file from: http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab What's interesting is that if I download the above file manually and then extract it, I can right-click on the certificate trust list (STL) file and click install CTL. So, theoretically if I needed to push the trusted root CA updates to systems that can't access the above URL, I could download this CAB file, and extract it. But then I think we're at a crossroads of two options: 1) Import the STL file into a package distribution mechanism such as System Center Configuration Manager (SCCM) or a computer startup script in AD. In this case, my question is: what is the command line to import a STL file? 2) Import the STL file into a group policy object (GPO) in Active Directory---into the trusted root CA list. Not sure if this option is possible without further testing. Another question: why is it that when I double-click the STL file, I see an error that says "This certificate trust list is not valid. The certificate that signed the list is not valid." Additionally, if I click "View Signature", and then click "View Certificate", and then click the "Certificate Path", I can see that the "Microsoft Certificate Trust List Publisher" certificate has an error: "This certificate does not appear to be valid for the selected purpose." What's the story with this error? Thanks, Frank
January 10th, 2011 4:59pm

I haven't tested this yet... but maybe the following procedure will work. Can someone from Microsoft verify? First, a prerequisite: The "disconnected machine" needs to be able to access the following URLs to validate the certificate used to sign the STL: http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl http://www.microsoft.com/pki/crl/products/MicCerTruLisPCA_2009-04-02.crl Next, download the authrootstl.cab file via: http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab and extract the CAB file. Put the .STL file on your "disconnected machine". Then, run the following command from an elevated command prompt: certutil.exe -f authroot.stl Did that update the Root CAs for you?
Free Windows Admin Tool Kit Click here and download it now
January 10th, 2011 8:03pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics