Does WSUSOU install updated certificate trust/untrust lists?
Posted:
15.07.2014, 19:12by friday123
It seems like once or twice a year I get an advisory from Microsoft that says "Improperly Issued Digital Certificates Could Allow Spoofing". Microsoft has a separate update system to update revoked certificates that is enabled by default in Windows 8 and optional in Windows Vista and 7.
The most recent advisory states:
For systems running Windows Vista, Windows 7, Windows Server 2008, or Windows Server 2008 R2, and that do not have the automatic updater of revoked certificates installed, this update is not available. To receive this update, customers must install the automatic updater of revoked certificates (see
Microsoft Knowledge Base Article 2677070 for details). Customers in disconnected environments and who are running Windows Vista, Windows 7, Windows 8, Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 can install update 2813430 to receive this update (see
Microsoft Knowledge Base Article 2813430 for details).
Does WSUSOU do anything to deal with this certificate issue? I had just assumed Microsoft was making these updated certificate lists available via Windows Update. Thanks
Re: Does WSUSOU install updated certificate trust/untrust li
Posted:
15.07.2014, 20:56by boco
Look into ./client/win/glb after a download run. You'll find rootsupd.exe (Update for trusted certs) and rvkroots.exe (Update for revoked certificate list). Yes, WSUSOU deals with 'em.
Re: Does WSUSOU install updated certificate trust/untrust li
Posted:
18.07.2014, 06:46by friday123
boco wrote:Look into ./client/win/glb after a download run. You'll find rootsupd.exe (Update for trusted certs) and rvkroots.exe (Update for revoked certificate list). Yes, WSUSOU deals with 'em.
I am using WSUSOU r603 and I just ran the Update Generator today. I have a rootsupd.exe from 2014-02-13 and rvkroots from 2013-12-10. Microsoft has done revocations since then. Is it possible they are no longer updating these packages for enterprise customers?
Re: Does WSUSOU install updated certificate trust/untrust li
Posted:
18.07.2014, 08:31by WSUSUpdateAdmin
Hi.
Preceding thread:
viewtopic.php?f=6&t=3543.
By today, WOU provided rvkroots.exe v. 5.0.2195.0 (
kb2917500, see
http://www.microsoft.com/en-us/download ... x?id=41542), but I just found rvkroots.exe v. 6.0.2195.0 (
kb2982792, see
http://www.microsoft.com/en-us/download ... x?id=43672), which I'll integrate now.
Regards
T. Wittrock
Re: Does WSUSOU install updated certificate trust/untrust li
Posted:
18.07.2014, 15:39by aker
Please update .\client\exclude\ExcludeList.txt too.
[edit]No need to; the WUA still lists the old KB-id.[/edit]
Re: Does WSUSOU install updated certificate trust/untrust li
Posted:
20.07.2014, 05:36by friday123
Thanks Torsten. I've confirmed the update is successfully applied in Windows 8 and the certificates issued by CCA India that are referenced in advisory 2982792 are listed as untrusted.
What do you think will happen in about a year when Server 2003 goes EOL? Will we still get these enterprise certificate list packages? The new separate updater method seems pretty confusing to me:
Announcing the automated updater of untrustworthy certificates and keysVerify KB2916652 on Windows 2012An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2Configure Trusted Roots and Disallowed Certificates
Re: Does WSUSOU install updated certificate trust/untrust li
Posted:
27.07.2014, 12:42by WSUSUpdateAdmin
Hi.
aker wrote:Please update .\client\exclude\ExcludeList.txt too.
[edit]No need to; the WUA still lists the old KB-id.[/edit]
Thanks, I've added kb2982792 anyway now.
Greets
Torsten
Re: Does WSUSOU install updated certificate trust/untrust li
Posted:
11.07.2015, 07:24by friday123
What is happening now with rvkroots? It has been released by Microsoft for Windows Server 2003. I just got an e-mail from Microsoft that July 14 2015 is the EOL date for Windows Server 2003 so what is WSUSOU going to do for root certificates after that date?
Re: Does WSUSOU install updated certificate trust/untrust li
Posted:
11.07.2015, 14:24by aker
As long as MS provides the files (and maybe updates it), wsusou will be able to download & install them. They can be applied on NT 6.x (Vista - Win 8.1), too, so I assume, that the will still be included after w2k3 support gets removed.