Trusted Roots and Disallowed Certificates
Configure Trusted Roots and Disallowed Certificates (updates certificates from Microsoft)
Connected Environments
Use WSUS or let the server update directly from Microsoft (Microsoft Trusted Root Certificate Program)
Microsoft Trusted Root Certificate Program Participant list
http://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspx
Prereqs
Install KB2813430 (enables administrators to update trusted and disallowed CTLs)
Errata: Windows Update service is not required to be running.
Client/Server must ensure connectivity to the Microsoft Windows Update Web site.
Update Root Certificates (Updates third-party root list)
Is by default enabled
Can be turned off through Group Policy
Look in Application log for source CAPI2
Event ID 7: Success
Event ID 8: Failed
Sources
https://technet.microsoft.com/library/cc749331.aspx
https://technet.microsoft.com/en-us/library/cc733922(v=ws.10).aspx
Extract
“The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.”
Disconnected Environments
Use command to download to share
Certutil -syncWithWU \<server>\<share>
Configure windows to read from share
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
REG_SZ RootDirURL = \<server>\<share>
Default url
ctldl.windowsupdate.com
Url for direct download
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Sources
https://technet.microsoft.com/en-us/library/dn265983.aspx
Update Root Certificates (Updates third-party root list)
Can be turned of via Group Policy in disconnected environments. Not disabling it can lead to prolonged startup of services that uses SSL
GPO: Administrative Templates -> System -> Internet Communication Management -> Internet Communication -> Automatic Root Certificates Update = Turn Off
Verification (connected environments)
You can verify by listing your current certificates
get-childitem cert:\localmachine\root | select friendlyname, subject, thumbprint
Compare this list with the current list from Microsoft
http://aka.ms/rootupdates
Example verify that buypass.no is not in your current list
get-childitem cert:\localmachine\root | where {$_.friendlyname -like “*buypass*”}
Open your Internet Explorer and visit https://buypass.no
Retrieve a new list of currently installed certificates
Verify that “Buypass Class 3 Root CA” is now in your currentlist -> If it is -> It is working!!
Count should now has increased by +1
(get-childitem cert:\localmachine\root).count
Deleting certificates
This deletes all root certifcates (Please notice! you may break the server. Only in test environments)
get-childitem cert:\localmachine\root | select -ExpandProperty pspath | foreach {$.substring(43)} | foreach {remove-item cert:\$}