Microsoft`s Silent Trusted Root Authority update is Invalid?

I was going though my Event Log today and spotted over 5000 CAPI2 (Crypto API) Errors, generating anywhere from 5-20 new errors every hour going back to November it seems...



After some quick checking it seems the Trusted Root Certification Authority list is not updating correctly

For anyone who doesn't understand what the Trusted Root Certification Authority List is about or why this list is a crucial cornerstone of everyday internet use heres a excerpt from Microsoft`s documentation:

Basically, Microsoft periodically updates the list with the latest Certificate Authorities used for Verifying the SSL certificates used by your bank, ebay, paypal and thousands of other websites using SSL certificates and also updates the list of banned certificates being used for Malware, fraudulent websites or other certificates being misused (Like these two: VeriSign issues false Microsoft digital certificates)


The latest Update can be downloaded here (URL from the Event Log): http://www.download.windowsupdate.co...uthrootstl.cab

After opening the AuthRootstl.cab file you can see the Authroot.stl update list where you can see the latest Trust List Update information...



It seems however that the last Certification update Microsoft released on the 4th of November 2008 was signed using an invalid Internal Windows Code Signing certificate

Not only did Microsoft use the wrong Certificate to sign the Update, the Trust list of updated certificates itself (viewable from the second tab then under Certificate list) has a few hundred invalid and missing CA entry's

Interestingly, when I downloaded this list on Windows 7 it had an equally destroyed Update List signed at 11:50PM the night before the Vista Update List was signed the next day at 9:50AM, they both have the same hash and thumbprint but have different signing dates (How is that even possible? ) There is also no information about the CAPI2 errors found in the Windows 7 event-Log...




It begs the following questions:

1: Why hasn't this problem be reported by anyone, anywhere else before I spotted it?

2: If the Trusted Root Update did manage to update your local system is it safe to assume the entire system`s Root Certification Store is more or less 'compromised' meaning every website using SSL, every e-mail using signing, encrypted file or anything and everything using a certificate issued by a Trusted Root Certification Authority can no longer be guaranteed or verified on your system? (affecting every Version of Windows including Windows 7)

3: Since its accumulative does that mean all current entries are overwritten with each new update? (incase a system did get this failed update is it ok to continue using without having to format the system?))

4: How does the certificate signing timestamp change between Windows 7 and Vista for the same download?

5: Why does the latest Manual update only support XP? (It seems to install but it doesn't display any information about Vista support or even if it installed sucessfully) (https://www.microsoft.com/downloads/...DisplayLang=en)

6: Since theirs no CAPI2 related event-log information on Windows 7 does this mean this update is being installed on Windows 7 successfully or failing silently?

7: How did this pass their internal testing guidelines before whomever reasonable was able to release it and why hasn't it been fixed in nearly two months?

Can anyone else confirm what I have mentioned or does anyone have some more information, thoughts or ideas about this problem so I can report this to Microsoft?

Steven

(P.S. Merry Christmas for yesterday and Happy New Year for next week )

Here's my vista ''event log'', im not seeing the same as you mate..??


but this reads the same as yours..??




SK

This is starting to get very strange, you guys dont see the errors in your event log yet your certificates are signed 11:50PM on the 3rd of November...I get the error-logs but have a certificate signed 9:50AM on the 4th of November at exactly 10 hours later at the same time

What does this mean?

I am not seeing this either, not on Vista (see attached)
or on 7

Got a different date as well

I hope this helps



Thanks for the edit dmex I couldn't get the new pic in

I have a feeling Microsoft use different TRA (Trusted Root Authority) updates for each language and country and their all signed using an invalid certificate ID

Microsoft uses a hard-coded Certificate embedded in Windows for updating this list, I assume a recent update is using either the wrong certificate or they removed their embedded certificate by mistake

I also noticed after installing the 11/24/2008 Manual Root Certificate update for XP (https://www.microsoft.com/downloads/...DisplayLang=en) on my Vista system it fixed the hundreds of missing Certificate Trust List entries from that certificate update offered on Windows Update but it didn't fix the "The certificate that signed this List not valid" error

Im thinking their entire batch of TRA list`s was corrupted globally somehow and my system probably got the first silent update that succeeded in installing the Invalid list before realizing too late it`s Invalid and was trying to redownload a new list but cant since its signature is also invalid hence the Eventlog reports

Heres the MSDN Info for the Event Error Im receiving: EventID 11 Automatic Root Certificates
I have tried both options but each time a new event-log error pops up with

G'Day Dmex,

First and foremost Mate, all the best for the New Year 2009.

Here is my Event Viewer>Windows Log>Application record for your same time frame;



I do also have a problem, in that Custom Event Log Service is not running;







Is this normal? I'm no techo, however, are there any reasons why I should not have it running? If none, your recommendations, and how I can get to activate it please.

Cheers. sassofalco

I recently encountered this same error while installing signed installation packages.

I started getting this problem after the certificate "Microsoft Certificate Trust List Publisher" expired on May-27-2009. If I set my system time to May-26-2009 then I do not get the error.

When I extracted authroot.stl from the cab file and installed it (right click->"Install CTL"), the error messages went away. After installation I can see the "Microsoft Certificate Trust List Publisher" certificate in certmgr under "Enterprise Trust"

I did not get this error on my "real" systems, but only on my Virtual Images I test with. My current pet theory is that if a system does not get regular updates, (I keep reverting images back to a saved state for testing) and key Microsoft certificates are not updated before they time out then the automatic certificate update facility will not update the Root List with stl files who’s signatures have invalid trust chains.


I am not sure if this is the same mechanism that caused demx to experience CAPI2 error, clearly it’s not directly related because of the date of the expiration of the certificate.

Hi dmex,
Have you managed to 'nut out' what to do re this inconsistency?
Just noticed that I'm getting the same error message in Event Vwr [ Win logs / application / WMI ].
On checking 'Certificate Trust List' the effective date is Sat. 2nd May 2009. However The Cert. List Info. says " The certificate trust list is not valid. The certificate that signed the list is not valid."
On viewing the certificate further it states "The certificate is not valid for the selected purpose" whilst indicating it is valid from 11/04/2009 to 11/07/2010. Bit of a joke!!!!
What is your recommendation?
TIA

This is what I see in the CTL is that the certificate stored in the authrootstl-1.cab is dated ofMay the 2nd. IF i use the link here (from the event viewer), the is the date. So question is : is my computer not updating or has MS forgotten to update the certificate. But then there should be plenty others have the same issue... weird.....

So, welcome me to the club. This error appears in event log when a regular user logs onto my machine since the 27th of May (but not for me as admin).

Anybody found a solution?