Jaa


Event ID 3 — Automatic Root Certificates Update Configuration

Applies To: Windows Server 2008

The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.

Event Details

Product: Windows Operating System
ID: 3
Source: Microsoft-Windows-CAPI2
Version: 6.0
Symbolic Name: MSG_ROOT_LIST_AUTO_UPDATE_URL_RETRIEVAL_ERROR
Message: Failed auto update retrieval of third-party root list cab from: <%1> with error: %2.

Resolve

Ensure connectivity to the Microsoft Windows Update Web site

The Automatic Root Certificates Update component checks the Microsoft Windows Update Web site whenever an application is presented with a certificate issued by an untrusted root certification authority (CA). Use the "Test connectivity to the Microsoft Windows Update Web site" section to ensure that your computer can access the Microsoft Windows Update Web site. If your computer does not have access to the Microsoft Windows Update Web site, you can turn off this component by using the Local Group Policy Editor. Use the "Turn off Automatic Root Certificates Update" section to turn off Automatic Root Certificates Update.

Note: If the issue is not resolved by testing connectivity to the Microsoft Windows Update Web site or by turning off the Automatic Root Certificates Update component, you can enable CryptoAPI 2.0 Diagnostics by using the "Enable CryptoAPI 2.0 Diagnostics" section.

Test connectivity to the Microsoft Windows Update Web site

To perform this procedure, you must be a member of the local Users group, or you must have been delegated the appropriate authority.

To test connectivity to the Microsoft Windows Update Web site:

  1. Click Start, click Control Panel, and then click Windows Update.
  2. Click Check for Updates.
  3. If you are able to successfully connect to the Microsoft Windows Update Web site, the root certificates update will be downloaded correctly.
  4. If you cannot connect to the Microsoft Windows Update Web site because your organization has intentionally restricted access to this Web site, you can turn off Automatic Root Certificates Update by using the section named "Turn off Automatic Root Certificates Update."

Note: If you are using an application that downloads updates from the Microsoft Windows Update Web site on behalf of this computer, such as Windows Server Update Services, you should ensure that the server can connect to the Microsoft Windows Update Web site.

Turn off Automatic Root Certificates Update

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To turn off Automatic Root Certificates Update:

  1. Click Start, and then click Run.
  2. Type gpedit.msc, and then click OK.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then click Internet Communication settings.
  5. Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
  6. Close the Local Group Policy Editor.

Note: You can use Group Policy to set policy settings that apply across a given site, domain, or organizational unit in Active Directory Domain Services.

Enable CryptoAPI 2.0 Diagnostics

CryptoAPI 2.0 Diagnostics displays verbose logging information that can be used to help identify and fix issues.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To enable CryptoAPI 2.0 Diagnostics:

  1. Click Start, point to Administrative Tools, and then click Event Viewer.

  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  3. In the console tree, expand Event Viewer, expand Applications and Services Logs, expand Microsoft, expand Windows, and then expand CAPI2.

  4. Right-click Operational, and then click Enable Log.

  5. To disable CryptoAPI 2.0 Diagnostics, right-click Operational, and then click Disable Log.

Note: To learn more about how to use CryptoAPI 2.0 Diagnostics, see Troubleshooting PKI Problems on Windows Vista (https://go.microsoft.com/fwlink/?LinkId=102080).

Verify

You can verify that the Automatic Root Certificates Update component is working properly by using a Web browser to open a Web site that requires the Automatic Root Certificates Update component. When you open this Web site, a new root certificate is downloaded from the Microsoft Windows Update Web site. If the certificate is downloaded successfully, Event ID 1 in the Microsoft-Windows-CAPI2 event source will be written to the event log.

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To verify that Event ID 1 is being written to the event log:

  1. Click Start, and then click Control Panel.
  2. Double-click Administrative Tools, and then click Event Viewer.
  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  4. Expand Windows Logs, and then click Application.
  5. Look for an event with a Source named CAPI2 and an Event ID of 1.

Automatic Root Certificates Update Configuration

Core Security