Windows 10 Root Certificate Update



-->

This article provides a workaround for an issue where valid root CA certificates that are distributed by using GPO appear as untrusted.

We found that the root CAs were out of date on some of our Windows 2012 R2 servers. Having investigated this is appears Microsoft released a patch to provide the ability for 'Controlling the Update Root Certificates Feature to Prevent the Flow of Information to and from the Internet'.This patch introduces new registry keys for stopping Windows Update from updating the root CAs along with. First, you need to download the complete root certificate list using the certutil command line tool (Windows 10 requires administrator rights while using cmd.exe). Certutil.exe -generateSSTFromWU roots.sst. Windows 10 allows us to stop trusting roots or EKU's using the 'NotBefore' or 'Disable' properties, both of which allow. The NotBefore and Disable dates are set for the first day of the release month. The update package will be available for download and testing at: https://aka.ms/CTLDownload.

Original product version: Windows 10 - all editions, Windows Server 2012 R2
Original KB number: 4560600

Symptoms

Important

Untrusted root Certificate Authority (CA) certificate problems can be caused by numerous PKI configuration issues. This article illustrates only one of the possible causes of untrusted root CA certificate.

Certificate

Various applications using certificates and Public Key Infrastructure (PKI) might experience intermittent problems such as connectivity errors, one or two times per day/week, because of failed verification of end entity certificate. Affected applications might return different connectivity errors, but they will all have untrusted root certificate errors in common. The following is an example of such an error:

HexDecimalSymbolicText version
0x800b0109-2146762487(CERT_E_UNTRUSTEDROOT)A certificate chain processed, but terminated in a root certificate

Any PKI-enabled application that uses CryptoAPI System Architecture can be affected with an intermittent loss of connectivity, or a failure in PKI/Certificate dependent functionality. As of April 2020, the list of applications known to be affected by this issue includes, but are not likely limited to:

  • Citrix
  • Remote Desktop Service (RDS)
  • Skype
  • web browsers

Administrators should be able to identify and troubleshoot untrusted root CA certificate problems by inspecting the CAPI2 Log.

Focus your troubleshooting efforts on Build Chain/Verify Chain Policy errors within the CAPI2 log containing the following signatures. For example:

Error <DateTime> CAPI2 11 Build Chain
Error <DateTime> CAPI2 30 Verify Chain Policy

Result A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.
[value] 800b0109

Cause

Untrusted root CA certificate problems might occur if the root CA certificate is distributed using the following Group Policy (GP):

Windows

Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities

Root cause details

When distributing the root CA certificate using GPO, the contents of HKLMSOFTWAREPoliciesMicrosoftSystemCertificatesRootCertificates will be deleted and written again. This deletion is by design, as this is how the GP applies registry changes.

Changes in the area of the Windows registry reserved for root CA certificates will notify the Crypto API component of the client application, and the application will start synchronizing with the registry changes. This synchronization is how the applications are kept up-to-date and made aware of the most current list of valid root CA certificates.

Update

In some cases, such as scenarios when large number of root CA certificates are distributed via GPO (similar with many Firewall or Applocker policies), Group Policy processing will take longer, and the application might not receive the complete list of trusted root CA certificates.

Because of this, end entity certificates that chain to those missing root CA certificates will be rendered as untrusted, and various certificate-related problems will start to occur. This problem is intermittent and can be temporarily resolved by reenforcing GPO processing or reboot.

If the root CA certificate is published using alternative methods, the problems might not occur, due to the afore-mentioned situation.

Workaround

Microsoft is aware of this issue and is working to improve the certificate and Crypto API experience in a future version of Windows.

To address this issue, avoid distributing the root CA certificate using GPO. This might include targeting the registry location (such as HKEY_LOCAL_MACHINESOFTWAREPoliciesMicrosoftSystemCertificatesRootCertificates) to deliver the root CA certificate to the client.

When storing root CA certificate in a different, physical, root CA certificate store, the problem should be resolved.

Examples of alternative methods for publishing root CA certificates

Method 1: Use the command line tool certutil and root the CA certificate stored in the file rootca.cer:

Note

This command can be executed only by local admins and it will affect only single machine

Method 2: Start certlm.msc (the certificates management console for local machine) and import the root CA certificate in the Registry physical store.

Note

The certlm.msc console can be started only by local administrators. Also, the import will affect only single machine.

Method 3: Use GPO preferences to publish the root CA certificate as described in Group Policy Preferences

To publish the root CA certificate, follow these steps:

  1. Manually import the root certificate on a machine using the certutil -addstore root c:tmprootca.cer command (see Method 1).

  2. Open GPMC.msc on that machine where you have imported the root certificate.

  3. Edit the GPO that you would like to use to deploy the registry settings in the following way:

    1. Edit the Computer Configuration > Group Policy Preferences > Windows Settings > Registry > path to the root certificate.
    2. Add the root certificate to the GPO as presented in the following screenshot.
  4. Deploy the new GPO to the machines where the root certificate needs to be published.

Any other method, tool, or client management solution that distributes root CA certificates by writing them into the location HKEY_LOCAL_MACHINESOFTWAREMicrosoftSystemCertificatesROOTCertificates will work.

References

Utilizing your CAC on Windows 10 'can' be as easy as...

Windows

Installing the DoD Root certificates and making sure the Internet Options are set correctly.

However, computers don't always cooperate with us. So....

Here are my findings and solutions:

Information: Edge is the default web browser in Windows 10. Internet Explorer is on the computer and provides backwards compatibility for web pages that do not work with Edge.

My recommendation is to type: Internet Explorer into the Search the web and Windows/ I'm Cortana / Ask me anything (box) in the lower left corner of your screen. Once Internet Explorer appears, right click Internet Explorer and select Pin to taskbar.

Finding 1:You upgraded from Windows 8.1 and were using your CAC with little to no problems, and now you can't access CAC enabled sites. Keep reading for ideas to try:

Solution1 (built-In Smart Card Ability): Uninstall ActivClient 6.2.0.x or 7.0.1.x by 'Right Clicking' the Windows logo '4 squares' [in the lower left corner of your desktop], select Programs and Features (now called Apps and Features), find ActivClient in your list of programs and select Uninstall, restart your computer and try the sites again. It may work, if it doesn't, try next Solution. Dual persona (PIV) users might be able to access their email using the built in Smart Card Ability, your results may vary, if it doesn't read your PIV, you will need to follow Finding 1, Solutions 2 or 3 below.

Finding 1, Solution2 (ActivID): ActivID ActivClient 7.1.0.153 works great on Windows 10 computers and is available for Army users from links on the Army page. All other people will have to get it from you respective branch or purchase it to try it on your computer.

Finding 2. I can't access encrypted emails when using theEdge web browser

Solution 2: The Edge web browser does not support S/MIME. See my recommendation above to see how to use Internet Explorer to read and send your encrypted emails when using OWA / webmail.

Information (from Microsoft): To understand the problem with OWA, Edge, and S/MIME you need to know the OWA S/MIME is an Active-X control. By design Edge does not support Active-X (or Browser Helper Objects); this is good from a security perspective, but bad if you want to use OWA with Edge. Windows 10/Edge is a work in progress, Microsoft is planning to use other technologies to replace Active-X sometime in the future. In the meantime use Internet Explorer 11.

Finding 3.I can't sign PDFs (Portable Document Format) like I did in Windows 8.1

Solution 3:To digitally sign PDFs, you need to use Internet Explorer, NOT the Edge web browser, and have Adobe Reader set as the default PDF viewer. NO other PDF readers will allow digitally signing of forms. This should happen automatically when installing Adobe Reader. However, if it doesn't, here is how to change the default viewer:

Type: 'default' into the Search the web and Windows/ I'm Cortana / Ask me anything (box) near the Windows logo at the bottom left of your screen.

Windows 10 Update Root Certificates Feature Isn't Enabled

Click: Default Programs at the top of the list.

Click: Associate a file type or protocol with a program.

Scroll down to .pdf, if it shows Adobe Acrobat Reader, it is set correctly, if it shows some other program, select .pdf and click the Change program.. (button) in the upper right corner of the screen.

Windows 10 Automatic Root Certificate Update

'Adobe Acrobat Reader' should be in the list of choices, select it and then OK

Finding 4.How do I get to Internet Options in Edge? I can't find it.

Solution 4: Follow slide 5 of https://milcac.us/tweaks

Finding 5.Cannot see / select the Authentication / PIV certificate in Windows 10

Solution 5: Windows 10 users will see the certificate selection differently than older versions of Windows. Click More choices to see additional certificates. Select the correct certificate and then click OK.