My technical journal.

Maybe useful, maybe not.
posts - 105 , comments - 45 , trackbacks - 0

Keep your Root Authorities up to date

By default, Windows will automatically update it’s internal list of trusted root authorities as long as the Update Root Certificates function is installed. This should be enabled by default and takes manual intervention to remove it.


With this component enabled, the following happens:

If you are presented with a certificate issued by an untrusted root authority, your computer will contact the Windows Update Web site to see if Microsoft has added the CA to its list of trusted authorities. If it has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to your trusted certificate store.

If the component is not installed and a certificate from an untrusted CA is encountered then the following text will be seen:


This is an inconvenience for the person browsing the site as they need to click to continue. Applications, though, will be unable to proceed and will throw an exception. Example:

12175 (0x00002F8F)
One or more errors were found in the Secure Sockets Layer (SSL) certificate sent by the server.

If you look at the certificate’s properties, you can see the “Issued by:” value:


This is the name of the server that issued the certificate. It is not the name of the Trusted Root Certificate Authority. To find that instead use the “Certification Path” tab.


Highlight the issuing server and click “View Certificate” button to reveal the issuing CA – in this case “VeriSign Class 3 Public Primary Certification Authority – G5”.


This must match a Trusted Root Certificate Authority certificate in the current user’s certificate store.


So turn on automatic updating of trusted root authority certificates.

For Windows Vista and above, this option is controlled through Group Policy. See the “To Turn Off the Update Root Certificates Feature by Using Group Policy” section of the following TechNet article:

Certificate Support and Resulting Internet Communication in Windows Vista

If Windows Update is a blocked site then download and deploy the latest pack of root certificates from Microsoft:

Failing that, find a machine that has the latest root certificates installed and export them from there:

  1. Open up the Certificates console
  2. Right-click the required Trusted Root Certificate Authority certificate
  3. Choose Export from “All Tasks” to open up the Certificate Export Wizard
  4. Choose an export file format – DER should be fine
  5. Provide a file name and complete the export.
  6. Move the file to the machine that’s missing the certificate
  7. Right-click the file and choose “Install Certificate” to open up the Certificate Import Wizard
  8. Do not allow the wizard to automatically select the certificate store. Instead choose “Place all certificates in the following store” and click Browse
  9. On the “Select certificate Store” window, enable “Show physical stores” and highlight “Trusted Root Certification Authorities \ Local computer”
  10. Complete the import


Thanks to Gurpal Basra for his valuable input.

Print | posted on Thursday, June 20, 2013 10:52 AM |


No comments posted yet.
Post A Comment

Powered by: