March 3, 2011 - Troubleshoot Root Certificate Update failure
Updated March 24, 2011 (to correct title format and place this page under a Notices section of this site)
Microsoft maintains the list of root certificates distributed by the Microsoft Root Certificate Program. Windows clients download trusted third-party root certificates from this list through the automatic root update mechanism. Automatic root update mechanism relies on downloading a certificate trust list (CTL) from Windows Update. More information on the process is available here.
We had an issue with the last certificate trust list (CTL) we shipped in February 2011, where the intermediate CA certificate is missing from the signature on the CTL. This causes issues for customer environments where outbound retrievals of the CA certificate using Authority Information Access (AIA) extension are blocked by proxy or firewall issues. If AIA retrievals are blocked and the intermediate CA certificate is not present locally, then the CTL signature validation fails. This results in failures in the automatic root update which can impact PKI-related scenarios such as browsing SSL-protected sites in IE.
We were alerted to this issue on March 1st, investigated it, and confirmed the issue. We re-signed the CTL and posted the revised CTL to Windows Update yesterday afternoon (March 2). We can confirm that the revised CTL is in distribution now, and customers should receive the auto root update without issue: note that the propagation on the WU servers is usually quite fast but can take up to 2 days in certain cases. If users still experience this issue, until WU server propagation completes, they can address the situation via the workaround of installing this CA certificate in the local machine CA store on the machine - http://www.microsoft.com/pki/certs/MicCerTruLisPCA_2009-04-02.crt. You can also use Group Policy to distribute this CA certificate to multiple machines.
Note that this is an informational post about a specific problem that occurred with the most recent root certificate update. For more details on the root update events or troubleshooting, the following references may be useful:
- Root Certificate program information - http://social.technet.microsoft.com/wiki/contents/articles/introduction-to-the-microsoft-root-certificate-program.aspx
- Events associated with automatic root certificate updates - http://technet.microsoft.com/en-us/library/cc733922(WS.10).aspx
- Troubleshooting PKI problems on Windows - http://technet.microsoft.com/en-us/library/cc749296(WS.10).aspx
Return to [[articles:introduction-to-the-microsoft-root-certificate-program|Microsoft Root Certificate Program Main Page]]