Trusted Root Certificates outdated?

Trusted Root Certificates outdated?

Postby friday123 » 13.06.2013, 04:22

I started WSUSOffline 8.4 downloader and it told me my root certs were outdated. I checked and my Windows 7 x64 computer is up-to-date so I don't know why I'm seeing that message. The exact message was:
Your list of Trusted Root Certificates is outdated. Would you like to update it now?

I chose yes, and then I was given a UAC for "Windows Root Certificate Update December 2012". What's going on here? Should I be seeing that? My computer is up to date.

Thanks
friday123
 
Posts: 74
Joined: 28.11.2009, 05:30

Re: Trusted Root Certificates outdated?

Postby boco » 13.06.2013, 05:56

Yes. Usually Windows keeps its trusted certificate list current, but sometimes that mechanism can fail. Trusted cert updates are not listed in Windows Update/Microsoft Update.

If you deny that update WSUSOU will not work right. All downloaded MS files will have their signatures checked, and that check needs the root certs.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: Trusted Root Certificates outdated?

Postby friday123 » 13.06.2013, 06:00

boco wrote:Yes. Usually Windows keeps its trusted certificate list current, but sometimes that mechanism can fail. Trusted cert updates are not listed in Windows Update/Microsoft Update.

I'm very surprised. Do a lot of people report this issue or is it just me?
friday123
 
Posts: 74
Joined: 28.11.2009, 05:30

Re: Trusted Root Certificates outdated?

Postby boco » 13.06.2013, 09:46

A few have, thus the community opted for this change. If you let it update the certs you eliminate a potential error condition, where the system deletes the catalog file right after download, because the signature check fails (due to missing root certificate).
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: Trusted Root Certificates outdated?

Postby Denniss » 13.06.2013, 09:51

According to some M$ sites the trusted certificate list is updated once you encounter a site with an unknown certificate. This may not work from the command prompt which WOU uses.
To prevent issues with file deletions because of outdated signatures this new signature update mechanism was introduced with version 8.4
It's somewhat strange to see a message about a 12/2012 update, the most recent file should be from April/May 2013 (but the message may have come from the revoked signature updates which is from this timeframe).
It's a problem on XP as these updates are listed as optional, I have not seen them installed via autoupdates either.
Denniss
 
Posts: 869
Joined: 01.08.2009, 10:51

Re: Trusted Root Certificates outdated?

Postby boco » 13.06.2013, 10:17

Yep, on Windows Vista, 7 and 8 I have never seen that update listed at all. MS admitted that in some cases the automatic retrieval doesn't work and thus the rvkroots update works for these OS, too, despite being designated for XP.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany

Re: Trusted Root Certificates outdated?

Postby hans15 » 14.09.2014, 12:27

When those certificates are updated, is your RDP connection being killed? The first time I started the updates download, I was disconnected from the host, and when I reconnected all open windows were closed as if the explorer task bar had crashed. Kinda creepy, and now I don't know if there's a virus.
hans15
 

Re: Trusted Root Certificates outdated?

Postby aker » 15.09.2014, 07:51

You can test that after the download completed, just manually install .\client\win\glb\rootsupd.exe. If the RDP is killed again, it is caused by the root certificates.
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to keep or sell it.
aker

WSUS Offline Update „Community Edition“
https://gitlab.com/wsusoffline/wsusoffline/-/releases
aker
 
Posts: 3999
Joined: 02.03.2011, 15:32

Re: Trusted Root Certificates outdated?

Postby boco » 16.09.2014, 07:24

Could be that update restarts (a) service(s) to reload the new certs.
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany


Return to Download

Who is online

Users browsing this forum: No registered users and 60 guests