Updating Root Certificates

Similar Messages

• Removing / updating root certificates?

  I know from the documentation I've reviewed that the root certificate store isn't easily viewed in webOS. There is a knowledge base article that lists certs that come pre-installed (at least in 2.x), but that's the closest I've come to being able to see them.
  I have a need to remove one of the root certificates that came pre-installed, and I can't seem to find a way to do it. If I have to, I am open to writing an application toward this end, but I'm finding it difficult to believe that there isn't some easier way, or some HP internal tool that might do this.
  Do any of you have any suggestions? I really don't want to trust a particular CA for one minute longer than I have to.
  Alternatively, can anyone at HP tell me if you are planning to release a CRL for any of the compromised Diginotar CA certs, and if so, how quickly?
  I'm most concerned about this on the Touchpad and original Pre.
  Thanks.
  Post relates to: Pre p100eww (Sprint)

  I'm curious about the intent to do a wholesale update of the root certificates in a server operating system. I would think you should consider yourself lucky, because there are practical limits to the size of the Trusted Root Certificate Store (64kb of certificates,
  which is 175-200 of them, depending on their data size).
  A more surgical approach is to only install a new root certificate when it is needed for a specific purpose. Otherwise, certificates that are expired can generally just be deleted.
  However, for an alternative approach to this process, I would suggest installation of KB931125 to a **WORKSTATION** operating system (a reference VM not actually used by anybody would be even better), and then EXPORT those certificates that you actually
  need from that reference system and import them to where they are needed.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Go Daddy UCC Certificate: "ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update"

  Hello,
  I have this issue regarding certificate chains while performing Outlook Anywhere connectivity test
  by Microsoft Remote Connectivity Analyzer:
  "ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."
  Note: even if I got the error, Outlook Anywhere and
  ActiveSync services work fine.
  Environment:
  - Exchange 2007 with SP3
  - Go Daddy Multiple Domains UCC certificate (up to 5 Subject Alternative Names)
  I already read and followed instructions on this TechNet post
  Can I safely ignore this warning about the SSL cert? Using GoDaddy UCC cert but it is a little bit different by this case.
  So after an investigation I understand the issue above is related to SSL certificate
  Certification Path (see screenshots below).
  NO ERRORS on ExRCA checking
  Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
  repository
  Go Daddy Class 2 Certification Authority is under Intermediate Certification Authorities
  repository
  Starfield Technologies (http://www.valicert.com)
  is under Trusted Root Certification Authorities repository
  ERROR on ExRCA checking
  Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
  repository
  Go Daddy Class 2 Certification Authority is under Trusted Root Certification Authorities
  repository
  Can you add some useful information ?
  I'm opening a support ticket at Go Daddy; I hope they could me some positive feedbacks.
  Regards,
  Luca Fabbri
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

  Strange I have a feeling the exrca tool can't validate the godaddy class2 root authority due some older compability and wants to use the older original root authority valicert owned godaddy. Or when the exrca tool is validating the root CA it only has the
  goaddy class2 root ca that was issued by valicert and not the standalone cert when doing the comparision. I sent the question to MS and will let you know when I hear back.
  You can get rid of it
  https://certs.godaddy.com/anonymous/repository.seam
  Download the cert
  ◦gd_cross_intermediate.crt
  Then import it into the trusted root cert authority on your CAS boxes. Then you need to delete the other godaddy class2 root authority. Make sure you see the one you imported both will be named goaddy class2 root authority but one will be issued by valicert.
  Re-run the test and it will go away, I also saw the error with my domain as well using godaddy and got rid of it by using the new cert authority.
  James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

• Update Windows Root Certificates in Windows 2008 R2 Disconnected Environment using WSUS

  Hi all, I need to update the root certs on all my WIndows 2008 R2 servers. They have no internet connectvity. I am aware of the issue described by
  KB931125 but I am not affected by it. My issue is that I would like the 2008R2 servers to update the roots certs form my WSUS servers. Is this possible?

  I would suggest that you identify the few individual root certificates that you need, and import them individually to those servers where they are needed.
  It is NOT possible to update root certificates from a WSUS server, except in the case of workstations that are being configured to install KB931125.
  Do NOT install KB931125 to a server operating system.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Problem updating CA root certificates in cacerts file

  I've searched all over for this problem, and none of the posting seems to apply
  to my situation. Hope this is not a repeat post.
  I'm running WLS7 SP2 on W2K AS. I had SSL configured and working properly, until
  1/7/2004 came along, of course. I followed the directions in http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57436
  to update the Verisign Class2 and 3 root certificates in the cacerts file without
  any problem. I also verified from the WL log that the server is reading the "cacerts"
  file located in <bea_home>\server\lib. However, when I pulled up my website using
  https://, I still get the "...security certificate has expired ..." message.
  Why is my browser not getting the updated CA certificates from WLS?
  Any help you can provide is much appreciated.
  Michael An

  Is the server's identity certificate issued by Verisign? Have you updated it? Does
  the identity certificate chain include the root CA certificate? It might be that
  the browser contains the expired certs among its trusted ca certificates, uses
  them to complete the chain and then complains about it.
  Pavel.
  "Michael An" <[email protected]> wrote:
  >
  I've searched all over for this problem, and none of the posting seems
  to apply
  to my situation. Hope this is not a repeat post.
  I'm running WLS7 SP2 on W2K AS. I had SSL configured and working properly,
  until
  1/7/2004 came along, of course. I followed the directions in http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57436
  to update the Verisign Class2 and 3 root certificates in the cacerts
  file without
  any problem. I also verified from the WL log that the server is reading
  the "cacerts"
  file located in <bea_home>\server\lib. However, when I pulled up my
  website using
  https://, I still get the "...security certificate has expired ..." message.
  Why is my browser not getting the updated CA certificates from WLS?
  Any help you can provide is much appreciated.
  Michael An

• Can't find Root certificate update (KB931125) in SCCM

  Hi!
  As the thread title says, i can't find the update for new root certificate in the SCCM console but i can see it in the WSUS console. I am in the middle of migrating from 2007 to 2012 so i have two envrionments and in 2007 i can see one update. Windows 7[April
  2012] which is expired. If i check in WSUS console i can see that there is one for March 2014.
  In my 2012 environment I can see the same updates in WSUS but no one appear in SCCM console.
  I synchronize Windows 7 products and all classifications but Tools and drivers.
  I have created a searchfolder where with the criteria where ArticleID equals to 931125 and i can only find the expired update from April 2012.
  I'm not sure how I can troubleshoot this? 
  Thanks!
  EDIT: I forgot to mention that the synchronization of new updates is working just fine, its just this update i can't get into the sccm console.

  Honestly, I think this is a bug and should be reported to CSS. The November 2013 edition of this update is valid but they unfortunately expired a later revision of the update (April 2014) and I think that this is/may be throwing off the sync between
  ConfigMgr and WSUS as it's not a normal scenario.
  Jason | http://blog.configmgrftw.com

• Update for Root Certificates for Windows 7 [March 2014] (KB931125) - Expired on SCCM 2012 March 2014 SUG

  Hi all,
  The "Update for Root Certificates for Windows 7 [March 2014] (KB931125)" is Expired on SCCM 2012 March 2014 SUG. Is this a problem and is there going to be any fix for this which we can expect in the future?

  I don't have a 931125 for March 2014; however, I do have a November 2013 for 931125 which is still valid. Per the KB (http://support.microsoft.com/kb/931125) the November 2013 is the current and valid versions.
  931125 is an unusual update as they simply update it with a new version instead of creating a new KB that supersedes it. Now, why they expired the March 2014 version is unknown but they probably found an issue with it shortly after it was released.
  As a rule, you should always ensure that the search you use or criteria in your ADR excludes expired updates.
  So, to answer the question, no this isn't an issue.
  Jason | http://blog.configmgrftw.com

• Supersedence problem causing update loop for Root Certificates

  Specs: Server 2008 R2, WSUS 3.0, SCCM 2012 R2, Windows 7 Clients/Updates
  The issue is with the Root Certificate update from December 2012.  The update is not marked as superseded by the November 2013 Root Certificate update.  Is this an issue with Microsoft, or with my WSUS server? Is there any way I can remove or decline
  the Dec2012 update so that the March 2014 update can take over as the most current update?
  I have tried the KB931125 article and all the other resources with these updates, but my problem doesn't seem to be noted in these articles. From what I can find, the update from Dec2012 has not been installed on my WSUS Server.
  Thank you for the help,
  Phill

  AFAIK the current situation is this:
  "March 2014" was expired by Microsoft on March 17:
  The only KB931125 update that still is applicable is the "November 2013" update.
  ALL other KB931125 updates should be "Declined".
  Rolf Lidvall, Swedish Radio (Ltd)

• Update for Root Certificates for Windows 7 [March 2014] (KB931125) Expired

  Hi All
  Today i wanted to deploy the security updates of the month march 2014 to my production environment.
  I noticed that the update "Update for Root Certificates for Windows 7 [March 2014] (KB931125)" is Expired
  Strange last week I added this update in our Acceptation environment with no problems.
  Someone knows what happend to this update , i cannot find it on the microsoft site
  regards
  Johan

  Hi Yan Li,
  I don't understand what you're trying to say.
  Why do you quote that old information from the KB article? It's not really relevant to the update Johan asked about because the December 2012 version of KB931125 is not the same update that was released on March 11, 2014 which then immediately expired.
  It's not only the server updates that have been expired this time. It's the Windows 7 update and the Windows XP updates as well. I don't have any other OS versions in my managed environment so I don't know which other OS versions it affects but my guess is
  it's expired on all of them.
  It would be nice with some real information about why this particular version (March 2014) was recalled.
  If there is a problem with it I would like to know what kind of problems I'll be facing on the clients that did install it before it expired.
  And if there is a problem with it, will there be an interim fix available? Will a new update be released and if so- when?
  Can you please see if you can provide us with some relevant information?

• How to include a new root certificate in BlackBerry device

  Dear Sir/Madam,
  　TWCA is a certification authority in Taiwan provides security system for internet banking, stock trading, e-commerce and SSL certification service in Asia-Pacific region. TWCA wish to add its' root certificate into BlackBerry mobile device in order that our customers may use BlackBerry mobile device to do internet banking and stock trading on secured SSL Website. Could you provide some information about BlackBerry/RIM root certificate program?
  Thanks and Regards.
   Blues Lin
  Solved!
  Go to Solution.

  Hi and Welcome to the Forums!
  It sounds like your question is of a formal nature -- as in you wish to communicate directly with RIM for your query. Unfortunately, these forums are not a user-to/from-RIM communication vehicle -- rather, they are a user-to-user support forum. As such, it is unlikely that anyone from RIM will see and respond to your question. Hopefully some other user knows how to advise you, but I just wanted to set your expectation correctly about what to expect from these forums.
  Good luck!
  Occam's Razor nearly always applies when troubleshooting technology issues!
  If anyone has been helpful to you, please show your appreciation by clicking the button inside of their post. Please click here and read, along with the threads to which it links, for helpful information to guide you as you proceed. I always recommend that you treat your BlackBerry like any other computing device, including using a regular backup schedule...click here for an article with instructions.
  Join our BBM Channels
  BSCF General Channel
  PIN: C0001B7B4   Display/Scan Bar Code
  Knowledge Base Updates
  PIN: C0005A9AA   Display/Scan Bar Code

• Root certificate is not trusted

  Hi!
  I have installed the internatlly signed certificates according to steps in the Oracle documentation, however, I still ge the error that "This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store".
  Below is the error I receive when starting UCM server:
  <27-Dec-2011 13:39:18 o'clock CET> <Notice> <Security> <BEA-090898> <Ignoring th
  e trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=
  (c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=V
  eriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certi
  ficate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object
  : 1.2.840.113549.1.1.11.>
  I get this error when I click on the certificate in the browser. Below are the steps I performed. Can anyone help me understand, perhaps, I import my certificates incorrectly?
  1. I've created a custom keystore using the following command:
  keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -dname “CN=<domain name like test.com etc>, OU=<unite like Customer Support etc>, O=<your organization>, L=<your location>, ST=<state>, C=<country code like US>” -keystore identity.jks
  2. Next, I generated a certificate sign-in request using this command:
  keytool -certreq -alias mykey -file cert.csr -keystore identity.jks
  3. After I received three certificates signed in by our internatl authority, main, intermediate, root. I imported each one of them.
  4. I inserted those one by one into my custom store generated during step1 first. I used the following command for each certificate:
  keytool -import -trustcacerts -keystore mystore.jks -storepass password -alias Root -import -file Trustedcaroot.txt
  5.I also inserted all three into JAVA_HOME cacerts file, located on C:/Program Files/Java/jrockit.../jre/lib/security/cacerts using the same command as in step 4.
  Next, I configured UCM_server 1 KEYSTORE to use Custom Identity and Java Trust. and pointed Custom Identity to my custom keystore file created in step1 and Java Trust to cacerts file updated in step5.
  Despite of all steps above I cannot get the certificates to work. When I look at the certificate, it tells me that "This CA Root certificate is not turested. To enable trust, install this certificate in the Trusted Root Certification Authorities store".
  Edited by: 867498 on 27-Dec-2011 05:45

  I've managed to get rid of the error, however the certificate still does not reflect the trusted chain and doesn't point to the "Root" certificate. Any ideas?

• WindowsUpdate - Root Certificates

  We currently receive thousands of events in each workstation's event viewer because we are blocking file downloads for our end users. We would like to add a Policy to allow the following files to be downloaded from Microsoft to ensure the Root Certificate downloads are being allowed:
  www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
  ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
  ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
  Without allowing everything to windowsupdate.com; how we would allow the specific files to be downloaded? If I add the domain to our Whitelist then the Regular Expressions field gets bypassed (unless I am misinterpreting something).

  Hi Jake,
  You may add those URLs into the Regular Expressions field without having to add the domain into the whitelist.  Just remember the WSA generally looks from the top-to-bottom.  If you add windowsupdate.com to the whitelist AND have a Regular Expression, the whitelist will take effect since it is above the Regular Expression.
  -Vance

• Having problem getting installed root certificate to work

  We have a recerse proxy set up with an SSL certificate singed by our local CA.  We are trying to connect to this reverse proxy from iPad over 3G connection.
  Initially, we received the error "Safari cannot open the page because it could not establish a secure connection to the server".  Reading up on this, realized that we needed to install the CA root certificate as a trusted root on the device.
  Got iPhone Configuration utility, set up a configuration profile for the sole purpose of installing the certificate, added the certificate through Credentials section, and assigned the profile to the device.  I can see the certificate updated to the device through General>Profiles and can confirm that it IS the root certificate used to general the SSL certificate on the proxy.
  Even after application to the iPad (tried on iPhone also), attempt to access our proxy server from the iOS device fails with the same error.
  It is interesting to note, that on a personally owned iPad, instead of the error noted, I received a pop-up indicating the certificate was unknown, and I was presented with options to "Cancel, Details, Continue".  Clicking on "Details", I was allowed to view the certificate properties, and ALSO had a button to "Accept".  Hitting "Accept" installed the certificate as trusted, and I get through the proxy server just fine.  Only problem now is that if I *want* to re-create the prompt, I have no way, as I've found no way to remove certificates from the iPad unless installed via configuration profile.
  We've checked and double-checked, and the certificates all "line up" to the correct CA.
  Any ideas where I night be going wrong?
  Thanks!

  New clue....
  I only have the problem of not connecting to the proxy server if I'm using a 3G connection.  If I turn on wi-fi, connect to an access point, the installed root certificates do their job, and I connect just fine.
  Anyone know of potential problems with SSL certificates over 3G?

• MacBookpro Receiving pop up warnings: Error: Unable to establish a secure connection to pop.mail....etc. because the correct root certificate is not installed. Help needed please.

  My Entourage is very slow and 2 Error pop ups (above) are showing. Additionaly, a warning about the start up disc being full. I decided to back up to an external HD.When backing up I was surprised to see 9.4GB in the catagory named 'Other'. Ive probably got too much junk stored here (unless it could be imovie files?). If I could see what was in 'Other', and delete what I dont need, this may be the answer to freeing up more space. The next big file I have is under 'Pictures' which is 1.7GB. I have never downloaded any video or Youtube stuff.
  This is my first experience on this forum.

  Apple in their glorious wisdom did not update the root certificates for users of 10.5, only for 10.6 and later.
  You'll need to make some changes, open your Keychain Access in your Applicaitons or Utilitties folder.
  Delete the compromised DigiNotar root certificates, also change the KeyChain Access preferences > Certificates to
  Best Attempt
  Best Attempt
  Require Both
  Because the Certificate Autorities themselves are being attacked, you need the most recent and varied source of valid certificates so your comptuer does the best it can to verify the site your visiting is legitiment.
  Also make sure the time and date on your computer is accurate and updated with Apple's time severs, allow any such time requests out your outgoing firewall (aka LittleSnitch)
  You might decide to upgrade to 10.6, it's the best OS version for users of Intel Mac's, strips out the PowerPC code your not using and improved video drivers for better graphics performance. It should run most of your 10.5 software with just minor updates at most.
  Please backup your data off the machine (not TimeMachine) before doing anything as you might need to wipe the drive if the upgrade doesn't go correctly.
  http://store.apple.com/us/product/MC573Z/A
  However OS X Lion 10.7 is a radical change, won't run your older software or drivers and likely be slow on most older hardware. I'd advise against installing it, buy it with a new machine instead.

• EDirectory install - failed to retrieve self-signed root certificate:142

  Hi,
  My istallation has 2 NICs, public & internal.
  My tree name is IS.
  I have succesfully installed and used RedCarpet. I additionally enabled
  the Firewall and DHCP server to allow internet access to my users.
  On running Yast install for eDirectory I am given the default IP address
  of the server, this is the Public IP address - I decided that eDirectory
  was for internal use so changed IP address to internal one.
  At 50% of installation an error pops up :-
  Error
  The installation failed to retrieve the self-signed root certificate:142
  I aborted the installation.
  I retried the install using the public Ip address, it complains ports are
  already in use, I chose ignore and go ahead. Same error occurs :142.
  Your assistance and guidance would be appreciated.

  > Hi Johan,
  >
  > Thanks for sticking with me... I appreciate your time and help (believe
  > me, It's a great help..)
  >
  > I have cracked it...
  >
  > On a reboot, I chose to press F2 to get rid of the Suse Chameleon screen
  > and watched the boot process progress. I then noticed that it was unable
  > to contact my specified NTP source.
  >
  > I went into Yast Ntp client and changed my NTP source to other published
  > secondary NTP servers and all failed. I then put in the ip address of one
  > of the time servers and Bingo! ntp connected...I think I've seen this
  > before with Netware...where name resolution of the ntp server name does
  > not occur....most ntpserver administrators state they prefer you contact
  > the server by name rather than address...hmmm.....
  >
  > I then retried Yast eDirectory install and it was a breeze, as was the
  > iManager install....
  >
  > GroupWise here I come...
  >
  > Rgds.
  >
  > Stan Chelchowski
  >
  Hi, this is roy.
  had the same issue. using a supermicro with a builtin dual nic.
  disabled it and installed an old pci nic to test and it finally loaded the
  edirectory without an error.
  on another note, i am installing the NLSBS 9.0 and had to manually load
  the disk drivers since i have an adaptec 2010s raid adapter. i had
  installed suse 9.3 on the same machine earlier with absolutely no issues,
  but NLSBS is a pain. if you run red carpet and update all, then the driver
  issue returns.
  how do you get and install the service pack 2?
  thanks,
  roy