Recently a customer contacted me with a certificate / Windows Automatic CA root updates issue . The customer is using COMODO certificates but keeps getting errors about the certificate not being trusted.
Some Background information
Certificates are validated by a chain of trust. The Root Certificate Authority (CA) is the trust anchor of the chain. Such a chain can exist of multiple certificates building a hierarchy of trust. The root certificate is the highest certificate in the chain and is used to mark lower certificates in the chain as ‘trusted’.
Microsoft has a program called “Microsoft Root Certificate Program” to distribute root certificates to Windows clients and devices. Microsoft published a list of members of the “ Root Certification Program” on Technet. This list will be updated as new CA’s are added to the program. In Windows Xp and before the whole list was available in the root certificate store on the client, since Windows Vista the list is shortened resulting in a lot of certificates not available on the client. The reason for this is to speed up the time to validate certificates.
If a chain of trust ends with a root certificate part of the “Microsoft Root Certificate Program” but is not available in the local certificates store on the client Windows Update will download the certificate. This procedure depends on the OS you are using and is described in KB931125.
The Customer Issue
The customer who had the certificate issues didn’t provide clients with internet access. This was preventing the client from acquiring certificates trough Windows Update. Microsoft solves this with a tool called rootsupd.exe which will download and import all certificates that are part of the Root Certificate Program to the clients root certificates store.
Keep in mind the certificate list part of the Root Certificate Program is changing regular so keep it up-to-date. You can find the list of root ca’s member of the program on this page. To be notified automatically of changes subscribe to the RSS feed available on the site.