Windows 7 Thread, Windows 7 and Root Cas KB931125 in Technical; Is there something weird going on with the automatic update of Root CA's in Windows 7?
We keep gettting sites ...
25th March 2014, 01:23 PM #1
Windows 7 and Root Cas KB931125
Is there something weird going on with the automatic update of Root CA's in Windows 7?
We keep gettting sites showing invalid certificates becuase it cannot trace back to a valid Root CA. We use WSUS and when I check the latest KB931125 (Dated March 2014) it says the update is expired and cannot be deployed - that is the latest version of the root ca update so we've had to re-deploy the previous one (November 2013)
25th March 2014, 01:33 PM #2
Interesting problem - I have the November 2013 version deployed with no issues.
The March 2014 update would have been made available 11th March, so if there was an issue Microsoft would have fixed it by now (I would have thought).
Have you checked the verification of the certificates for problematic websites?
25th March 2014, 01:39 PM #3
It was issued on 11th march and expired on the 17th - and nothing has superseded it yet either!
The site is valid - but its not recognising the CA as valid.
Oddly though the November one is marked as unexpired. Its only IE and Chrome that are objecting, Firefox is happy with the certificate authority - an example is http://www.edexcelonline.co.uk/
Last edited by Sheridan; 25th March 2014 at 01:45 PM.
25th March 2014, 01:48 PM #4
As you say, works fine with the November update. Maybe there is a problem after all if it expired on the 17th?
25th March 2014, 02:05 PM #5
Must be, I've had to redeploy the November one - will have to wait for WSUS to dish this update out!
25th March 2014, 02:42 PM #6
I was under the impression any MS OS post Vista no longer needed the Root CA updates.
from How to get a Root Certificate update for Windows Windows Vista and Windows 7 Root certificates on Windows Vista and later versions are distributed through the automatic root update mechanism. That is, they are distributed through the root certificate. When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error. To the user, a successful root update is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically. In addition, for Windows Vista and later versions, client SKUs support weekly pre-fetching from Microsoft Update to check for updated root certificate properties (for example, extended validation (EV), code signing, or server authentication properties [that is, certificate properties that are added to a root certificate]).
25th March 2014, 02:50 PM #7
I believe (at least Windows 7 anyway) does need these kind of updates still.
You could argue that at the rate Microsoft throw out IE updates, they could easily bundle it into one package.
25th March 2014, 03:03 PM #8
But...unless I am being really dumb, that MS article above clearly states the Vista and above don't need the updates.
Originally Posted by Michael
But that does beg the question why are they released for Win 7. But if I recall, they didn't used to release them for Win 7 via WSUS (a quick Google kinda confirmed this for me).
Last edited by sparkeh; 25th March 2014 at 03:05 PM.
25th March 2014, 03:05 PM #9
Is your proxy server blocking the CA URLs? e.g. crt.comodoca.com, crt.usertrust.com, evintl-aia.verisign.com etc.
Originally Posted by Sheridan
25th March 2014, 03:07 PM #10
According to this article (scroll down), these updates are used/required from Windows XP to the very latest Windows 8.1, so nothing's changed for both x86 and x64. Not sure about ARM.
25th March 2014, 03:08 PM #11
That's the article I linked to
Originally Posted by Michael
At the bottom it states Vista and above don't need them. Hence the confusion.
25th March 2014, 03:15 PM #12
Doh! On my part, but it's definitely needed either way. I think Windows Vista started the automation of downloading/installing these through Automatic Updates, but then again, I'm sure I've seen this on XP's creaky old Microsoft Update too (from memory).
Originally Posted by sparkeh
Point is if the root changes, every OS needs to know about it otherwise cert errors will occur. All modern browsers rely on this heavily as it can instantly tell between legitimate certs, outdated certs and bogus certs made to look like the real deal.
25th March 2014, 09:00 PM #13
Its just a fairly recent issue for us. We've only had problems in the last week or so which might coincide with that retired update. Manually adding the November 2013 one seems to fix it though.
25th March 2014, 10:13 PM #14
Its not that ie cant check the crl through the proxy?
25th March 2014, 10:21 PM #15
It can't be a proxy-related issue based on Sheridan's reply (or lack thereof) to my post above?
Originally Posted by free780
Last edited by Arthur; 25th March 2014 at 10:28 PM.
By DaveP in forum Downloads
Last Post: 3rd May 2010, 07:04 PM
By HCHSAdmin in forum Mac
Last Post: 18th April 2009, 04:47 PM
By pete in forum MIS Systems
Last Post: 11th January 2008, 01:58 PM
By radar in forum Windows
Last Post: 29th November 2007, 08:00 PM
By tickmike in forum General Chat
Last Post: 11th September 2006, 03:35 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)