+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
Windows 7 Thread, Windows 7 and Root Cas KB931125 in Technical; Is there something weird going on with the automatic update of Root CA's in Windows 7? We keep gettting sites ...
  1. #1
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28

    Windows 7 and Root Cas KB931125

    Is there something weird going on with the automatic update of Root CA's in Windows 7?

    We keep gettting sites showing invalid certificates becuase it cannot trace back to a valid Root CA. We use WSUS and when I check the latest KB931125 (Dated March 2014) it says the update is expired and cannot be deployed - that is the latest version of the root ca update so we've had to re-deploy the previous one (November 2013)

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Interesting problem - I have the November 2013 version deployed with no issues.

    The March 2014 update would have been made available 11th March, so if there was an issue Microsoft would have fixed it by now (I would have thought).

    Have you checked the verification of the certificates for problematic websites?

  3. #3
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28
    It was issued on 11th march and expired on the 17th - and nothing has superseded it yet either!

    The site is valid - but its not recognising the CA as valid.

    Oddly though the November one is marked as unexpired. Its only IE and Chrome that are objecting, Firefox is happy with the certificate authority - an example is http://www.edexcelonline.co.uk/
    Last edited by Sheridan; 25th March 2014 at 01:45 PM.

  4. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    As you say, works fine with the November update. Maybe there is a problem after all if it expired on the 17th?

  5. #5
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28
    Must be, I've had to redeploy the November one - will have to wait for WSUS to dish this update out!

  6. #6

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,734
    Thank Post
    1,272
    Thanked 1,645 Times in 1,101 Posts
    Blog Entries
    22
    Rep Power
    505
    Wait what?
    I was under the impression any MS OS post Vista no longer needed the Root CA updates.
    from How to get a Root Certificate update for Windows
    Windows Vista and Windows 7

    Root certificates on Windows Vista and later versions are distributed through the automatic root update mechanism. That is, they are distributed through the root certificate. When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error.

    To the user, a successful root update is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically. In addition, for Windows Vista and later versions, client SKUs support weekly pre-fetching from Microsoft Update to check for updated root certificate properties (for example, extended validation (EV), code signing, or server authentication properties [that is, certificate properties that are added to a root certificate]).

  7. #7

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    I believe (at least Windows 7 anyway) does need these kind of updates still.

    You could argue that at the rate Microsoft throw out IE updates, they could easily bundle it into one package.

  8. #8

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,734
    Thank Post
    1,272
    Thanked 1,645 Times in 1,101 Posts
    Blog Entries
    22
    Rep Power
    505
    Quote Originally Posted by Michael View Post
    I believe (at least Windows 7 anyway) does need these kind of updates still.

    You could argue that at the rate Microsoft throw out IE updates, they could easily bundle it into one package.
    But...unless I am being really dumb, that MS article above clearly states the Vista and above don't need the updates.
    But that does beg the question why are they released for Win 7. But if I recall, they didn't used to release them for Win 7 via WSUS (a quick Google kinda confirmed this for me).

    Confused now
    Last edited by sparkeh; 25th March 2014 at 03:05 PM.

  9. #9


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,760
    Thank Post
    221
    Thanked 2,630 Times in 1,938 Posts
    Rep Power
    779
    Quote Originally Posted by Sheridan View Post
    We keep getting sites showing invalid certificates because it cannot trace back to a valid Root CA.
    Is your proxy server blocking the CA URLs? e.g. crt.comodoca.com, crt.usertrust.com, evintl-aia.verisign.com etc.

  10. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    According to this article (scroll down), these updates are used/required from Windows XP to the very latest Windows 8.1, so nothing's changed for both x86 and x64. Not sure about ARM.

  11. #11

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,734
    Thank Post
    1,272
    Thanked 1,645 Times in 1,101 Posts
    Blog Entries
    22
    Rep Power
    505
    Quote Originally Posted by Michael View Post
    According to this article (scroll down), these updates are used/required from Windows XP to the very latest Windows 8.1, so nothing's changed for both x86 and x64. Not sure about ARM.
    That's the article I linked to
    At the bottom it states Vista and above don't need them. Hence the confusion.

  12. #12

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Quote Originally Posted by sparkeh View Post
    That's the article I linked to
    At the bottom it states Vista and above don't need them. Hence the confusion.
    Doh! On my part, but it's definitely needed either way. I think Windows Vista started the automation of downloading/installing these through Automatic Updates, but then again, I'm sure I've seen this on XP's creaky old Microsoft Update too (from memory).

    Point is if the root changes, every OS needs to know about it otherwise cert errors will occur. All modern browsers rely on this heavily as it can instantly tell between legitimate certs, outdated certs and bogus certs made to look like the real deal.

  13. #13
    Sheridan's Avatar
    Join Date
    Oct 2010
    Posts
    1,289
    Thank Post
    112
    Thanked 86 Times in 58 Posts
    Rep Power
    28
    Its just a fairly recent issue for us. We've only had problems in the last week or so which might coincide with that retired update. Manually adding the November 2013 one seems to fix it though.

  14. #14
    free780's Avatar
    Join Date
    Sep 2012
    Posts
    908
    Thank Post
    41
    Thanked 69 Times in 66 Posts
    Rep Power
    18
    Its not that ie cant check the crl through the proxy?

  15. #15


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,760
    Thank Post
    221
    Thanked 2,630 Times in 1,938 Posts
    Rep Power
    779
    Quote Originally Posted by free780 View Post
    Its not that ie can't check the crl through the proxy?
    It can't be a proxy-related issue based on Sheridan's reply (or lack thereof) to my post above?
    Last edited by Arthur; 25th March 2014 at 10:28 PM.

SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 0
    Last Post: 3rd May 2010, 07:04 PM
  2. Windows and Mac
    By HCHSAdmin in forum Mac
    Replies: 2
    Last Post: 18th April 2009, 04:47 PM
  3. PARS - unlink windows and SIMS login?
    By pete in forum MIS Systems
    Replies: 9
    Last Post: 11th January 2008, 01:58 PM
  4. Wireless, Windows and Winsuite
    By radar in forum Windows
    Replies: 5
    Last Post: 29th November 2007, 08:00 PM
  5. Data Protection Act And Root/Administrators Passwords.
    By tickmike in forum General Chat
    Replies: 4
    Last Post: 11th September 2006, 03:35 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •