|
 |  |  |  |  |  |  |
| Welcome to Windows Vista Forums. Our forum is dedicated to helping you find solutions with any problems, errors or issues you are experiencing with Windows Vista. The Vista forum also covers news and updates and has an extensive Windows Vista tutorial section that covers a wide range of tips and tricks. |
| |||||||
 |
| |
12-26-2008
| #1 (permalink) |
| ɠɛɐǨ | Microsoft`s Silent Trusted Root Authority update is Invalid? I was going though my Event Log today and spotted over 5000 CAPI2 (Crypto API) Errors, generating anywhere from 5-20 new errors every hour going back to November it seems...  After some quick checking it seems the Trusted Root Certification Authority list is not updating correctly  For anyone who doesn't understand what the Trusted Root Certification Authority List is about or why this list is a crucial cornerstone of everyday internet use heres a excerpt from Microsoft`s documentation: Quote: Root certificates are updated on Windows XP, Vista and all earlier versions of Windows automatically. When a user visits a secure Web site (by using HTTPS SSL), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate, the Windows certificate chain verification software checks the appropriate Microsoft Update location for the root certificate. If it finds it, it downloads it to the system. To the user, the experience is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically, behind the scenes. Root certificates are also delivered for Windows XP and earlier. Root Updates are cumulative, so it should only be necessary to install the latest one to receive all root certificates in the Program. Whether a user, or “relying party”, should trust a root certificate for any particular purpose can be a difficult question. CAs must be on guard against issuing certificates to people who put them to bad use, such as signing malicious software to make it seem more acceptable. CAs should have effective revocation policies and procedures to adequately deal with such certificates. Also, users are expected to scan a CA’s Certificate Practice Statement (CPS) before deciding to trust a certificate - to ensure that acceptance would not cause undue risk to a user’s security, for example. Such documents can be hundreds of pages long though, making user trust decisions complex. Microsoft’s role is to assess CAs and qualify them according to the Program requirements before enabling distribution of their root certificates. The latest Update can be downloaded here (URL from the Event Log): http://www.download.windowsupdate.co...uthrootstl.cab After opening the AuthRootstl.cab file you can see the Authroot.stl update list where you can see the latest Trust List Update information...  It seems however that the last Certification update Microsoft released on the 4th of November 2008 was signed using an invalid Internal Windows Code Signing certificate  Not only did Microsoft use the wrong Certificate to sign the Update, the Trust list of updated certificates itself (viewable from the second tab then under Certificate list) has a few hundred invalid and missing CA entry's   Interestingly, when I downloaded this list on Windows 7 it had an equally destroyed Update List signed at 11:50PM the night before the Vista Update List was signed the next day at 9:50AM, they both have the same hash and thumbprint but have different signing dates (How is that even possible?  ) There is also no information about the CAPI2 errors found in the Windows 7 event-Log... It begs the following questions: 1: Why hasn't this problem be reported by anyone, anywhere else before I spotted it? 2: If the Trusted Root Update did manage to update your local system is it safe to assume the entire system`s Root Certification Store is more or less 'compromised' meaning every website using SSL, every e-mail using signing, encrypted file or anything and everything using a certificate issued by a Trusted Root Certification Authority can no longer be guaranteed or verified on your system? (affecting every Version of Windows including Windows 7) 3: Since its accumulative does that mean all current entries are overwritten with each new update? (incase a system did get this failed update is it ok to continue using without having to format the system?)) 4: How does the certificate signing timestamp change between Windows 7 and Vista for the same download? 5: Why does the latest Manual update only support XP? (It seems to install but it doesn't display any information about Vista support or even if it installed sucessfully) (https://www.microsoft.com/downloads/...DisplayLang=en) 6: Since theirs no CAPI2 related event-log information on Windows 7 does this mean this update is being installed on Windows 7 successfully or failing silently? 7: How did this pass their internal testing guidelines before whomever reasonable was able to release it and why hasn't it been fixed in nearly two months? Can anyone else confirm what I have mentioned or does anyone have some more information, thoughts or ideas about this problem so I can report this to Microsoft? Steven (P.S. Merry Christmas for yesterday and Happy New Year for next week   ) Last edited by dmex; 12-26-2008 at 10:14 AM.. |
My System Specs |
|
12-26-2008
| #2 (permalink) |
| im coming for cake | Re: Microsoft`s Silent Trusted Root Authority update is Invalid? Here's my vista ''event log'', im not seeing the same as you mate..??  but this reads the same as yours..??   SK |
| My System Specs |
|
12-26-2008
| #3 (permalink) |
| ɠɛɐǨ | Re: Microsoft`s Silent Trusted Root Authority update is Invalid?  Quote: Originally Posted by skunksmash  Here's my vista ''event log'', im not seeing the same as you mate..?? but this reads the same as yours..?? SK Quote: Originally Posted by Brink Strange. I do not have any errors in Event Viewer as well. It shows as invalid as yours though: This is starting to get very strange, you guys dont see the errors in your event log yet your certificates are signed 11:50PM on the 3rd of November...I get the error-logs but have a certificate signed 9:50AM on the 4th of November at exactly 10 hours later at the same time What does this mean? |
| My System Specs |
|
12-26-2008
| #4 (permalink) |
| Old Dog | I am not seeing this either, not on Vista (see attached) or on 7 Got a different date as well I hope this helps Thanks for the edit dmex I couldn't get the new pic in   Last edited by pooch; 12-26-2008 at 12:00 PM.. |
| My System Specs |
|
12-26-2008
| #5 (permalink) |
| ɠɛɐǨ | Re: Microsoft`s Silent Trusted Root Authority update is Invalid? I have a feeling Microsoft use different TRA (Trusted Root Authority) updates for each language and country and their all signed using an invalid certificate ID Microsoft uses a hard-coded Certificate embedded in Windows for updating this list, I assume a recent update is using either the wrong certificate or they removed their embedded certificate by mistake I also noticed after installing the 11/24/2008 Manual Root Certificate update for XP (https://www.microsoft.com/downloads/...DisplayLang=en) on my Vista system it fixed the hundreds of missing Certificate Trust List entries from that certificate update offered on Windows Update but it didn't fix the "The certificate that signed this List not valid" error Im thinking their entire batch of TRA list`s was corrupted globally somehow and my system probably got the first silent update that succeeded in installing the Invalid list before realizing too late it`s Invalid and was trying to redownload a new list but cant since its signature is also invalid hence the Eventlog reports Heres the MSDN Info for the Event Error Im receiving: EventID 11 Automatic Root Certificates I have tried both options but each time a new event-log error pops up with Quote: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid. . |
| My System Specs |
|
12-26-2008
| #6 (permalink) |
| The Demented R.S.M. | Re: Microsoft`s Silent Trusted Root Authority update is Invalid? G'Day Dmex, First and foremost Mate, all the best for the New Year 2009. Here is my Event Viewer>Windows Log>Application record for your same time frame;  I do also have a problem, in that Custom Event Log Service is not running;    Is this normal? I'm no techo, however, are there any reasons why I should not have it running? If none, your recommendations, and how I can get to activate it please. Cheers. sassofalco |
| My System Specs |
|
06-05-2009
| #7 (permalink) |
| Newbie | Re: Microsoft`s Silent Trusted Root Authority update is Invalid? I recently encountered this same error while installing signed installation packages. I started getting this problem after the certificate "Microsoft Certificate Trust List Publisher" expired on May-27-2009. If I set my system time to May-26-2009 then I do not get the error. When I extracted authroot.stl from the cab file and installed it (right click->"Install CTL"), the error messages went away. After installation I can see the "Microsoft Certificate Trust List Publisher" certificate in certmgr under "Enterprise Trust" I did not get this error on my "real" systems, but only on my Virtual Images I test with. My current pet theory is that if a system does not get regular updates, (I keep reverting images back to a saved state for testing) and key Microsoft certificates are not updated before they time out then the automatic certificate update facility will not update the Root List with stl files who’s signatures have invalid trust chains. I am not sure if this is the same mechanism that caused demx to experience CAPI2 error, clearly it’s not directly related because of the date of the expiration of the certificate. |
| My System Specs |
|
06-06-2009
| #8 (permalink) |
| <#(((>>{ | Re: Microsoft`s Silent Trusted Root Authority update is Invalid? Hi dmex, Have you managed to 'nut out' what to do re this inconsistency? Just noticed that I'm getting the same error message in Event Vwr [ Win logs / application / CAP12 ]. On checking 'Certificate Trust List' the effective date is Sat. 2nd May 2009. However The Cert. List Info. says " The certificate trust list is not valid. The certificate that signed the list is not valid." On viewing the certificate further it states "The certificate is not valid for the selected purpose" whilst indicating it is valid from 11/04/2009 to 11/07/2010. Bit of a joke!!!! What is your recommendation? TIA Last edited by JMH; 07-09-2009 at 07:14 PM.. Reason: Correction. |
| My System Specs |
|
06-08-2009
| #9 (permalink) |
| Member | Re: Microsoft`s Silent Trusted Root Authority update is Invalid? This is what I see in the CTL is that the certificate stored in the authrootstl-1.cab is dated ofMay the 2nd. IF i use the link here (from the event viewer), the is the date. So question is : is my computer not updating or has MS forgotten to update the certificate. But then there should be plenty others have the same issue... weird..... |
| My System Specs |
|
06-22-2009
| #10 (permalink) |
| Member | Re: Microsoft`s Silent Trusted Root Authority update is Invalid? So, welcome me to the club. This error appears in event log when a regular user logs onto my machine since the 27th of May (but not for me as admin). Anybody found a solution? |
| My System Specs |
|
| Thread Tools | |
| |
Similar Threads | ||||
| Thread | Forum | |||
| self created root certificate still not trusted | PowerShell | |||
| Trusted Root Certification Authorities | Vista networking & sharing | |||
| Vista Home Premium edition removing SSL certs from Trusted Root Authorities | General Discussion | |||
| Adding certificate to trusted root authority | Vista security | |||
