Trusted Roots and Disallowed Certificates

Configure Trusted Roots and Disallowed Certificates (updates certificates from Microsoft)

 

Connected Environments
Use WSUS or let the server update directly from Microsoft (Microsoft Trusted Root Certificate Program)

Microsoft Trusted Root Certificate Program Participant list
http://social.technet.microsoft.com/wiki/contents/articles/31680.microsoft-trusted-root-certificate-program-updates.aspx

Prereqs
Install KB2813430 (enables administrators to update trusted and disallowed CTLs)
Errata: Windows  Update service is not required to be running.
Client/Server must ensure connectivity to the Microsoft Windows Update Web site.

 

Update Root Certificates (Updates third-party root list)
Is by default enabled
Can be turned off through Group Policy
Look in Application log for source CAPI2
Event ID 7: Success
Event ID 8: Failed
Sources
https://technet.microsoft.com/library/cc749331.aspx
https://technet.microsoft.com/en-us/library/cc733922(v=ws.10).aspx

Extract
“The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.”

 

Disconnected Environments
Use command to download to share
Certutil -syncWithWU \<server>\<share>

Configure windows to read from share
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
REG_SZ RootDirURL = \<server>\<share>

Default url
ctldl.windowsupdate.com

Url for direct download
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Sources
https://technet.microsoft.com/en-us/library/dn265983.aspx

Update Root Certificates (Updates third-party root list)
Can be turned of via Group Policy in disconnected environments. Not disabling it can lead to prolonged startup of services that uses SSL

GPO: Administrative Templates -> System -> Internet Communication Management -> Internet Communication -> Automatic Root Certificates Update = Turn Off

 

Verification (connected environments)
You can verify by listing your current certificates
get-childitem cert:\localmachine\root |  select friendlyname, subject, thumbprint
Compare this list with the current list from Microsoft
http://aka.ms/rootupdates
Example verify that buypass.no is not in your current list
get-childitem cert:\localmachine\root | where {$_.friendlyname -like “*buypass*”}
Open your Internet Explorer and visit https://buypass.no
Retrieve a new list of currently installed certificates
Verify that “Buypass Class 3 Root CA” is now in your currentlist -> If it is -> It is working!!
Count should now has increased by +1
(get-childitem cert:\localmachine\root).count

 

Deleting certificates
This deletes all root certifcates (Please notice! you may break the server. Only in test environments)
get-childitem  cert:\localmachine\root | select -ExpandProperty pspath | foreach {$.substring(43)} | foreach {remove-item cert:\$}