Sunday, December 06, 2009

Windows 7 can't always automatically update root certificates?

Today Secunia PSI refused to run with the message: "an error occurred while verifying the security certificate". Then I found that IE refused to show because the certificate was "not issued by a trusted certificate authority". Firefox did not have a problem with that webpage. For some reason, IE did not recognize the "Thawte Server CA" certificate. IE also refused to recognize StartSSL.

This was really weird, because as far as I know, Windows 7 is supposed to automatically update root certificates. Microsoft even explains how the process works in Vista. My first thought was that my firewall was blocking the update, but that was not it. Event log showed event 4100 from CAPI2, which is "Successful auto update retrieval of third-party root certificate". The problem was event 4110: "Failed to add certificate to Third-Party Root Certification Authorities store with error: A certificate chain could not be built to a trusted root authority."

I manually downloaded and installed the latest root certificate update from Windows Update. After that, everything works. I'm just left wondering why I had to deal with this in the first place.


Boris Gjenero said...

I think this may be because Cryptographic Services (CryptSvc) was unable to access the Internet because of the firewall. Its description says that it includes the "Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update".

There are CAPI2 events relating to downloading and unpacking a root certificates .CAB file, and those do not appear in my event log.

C├ędric le blogger said...

Thank you for this post, run into the same problem today and found the solution here =)

Have a nice day !

TinyMonkey said...

Urgh.. we spent some time going round in circles with this earlier after rolling out a few Win7 clients on our 2008R2 domain.

Resolved (after much faff & the help of your post :) by granting access to the Windows Update domains ( and Poking around it looks like the Crypto service is using wuauclt.exe to fetch the certs. Since we're using an internal WSUS, have 80/443 closed at the FW, and Win7 clients operating through a proxy (without winhttp set), it wasn't getting anywhere...

Also noticed that the Update for Root Certificates (KB931125) is not published for the Win7 Product in WSUS, only XP.

Mark Allcock said...

We too have the same problem as we're behind an ISA 2006 firewall (I thought I was going mad).

At the moment we've poked a hole through our firewall to permit unadulterated access to and the windows update website. This is undesired and I'm amazed that there is so little on this issue around the internet.

Will look to raising awareness over the next few days. Might even raise a PSS call if we can avoid the cost.

Anonymous said...

This one had me pulling my hair out as well! (Again, firewalled outbound traffic, internal WSUS, proxy, etc.)

Ben Dover said...

Jeez i spent 2 weeks with this problem. Ran the update and it worked like magic.

Thanks guys

Liran said...

Tnx !!!!
Its really works !
I was tring almost evrything including formatting my PC , re-install my firewall and so on ...

Now its work beutifully :)

Now I only have one problem left to solve in Win7 Ent: Installing the whale communication to my work IAG.

Mars said...

You saved me a lot of time! Huge thanx!

WK said...

thanks for the post. i have issues with gtalk and windows update on windows 7. but all went OK after the update.

Anonymous said...

Gracias, ya iva a reinstalar el Windows 7, me haz ayudado bastante, y ahorre un tiempo valioso, gracias nuevamente

Anonymous said...

Thanks A lot for your help.
I am searching for any answer to not logging into MSN Messenger for many reasons but after the update every thing is OK.
Thanks again for your help

Nader Nabil
Cairo, EGYPT

Boris Gjenero said...

I just had another problem: digital signatures of Adobe Flash Player installation files could not be verified. This time I enabled logging in Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational. There I saw that requests from explorer.exe were failing. I temporarily allowed explorer.exe through the outgoing firewall and I was able to verify the signatures.

Boris Gjenero said...

The May 2010 root certificate update is now available at the same place:

Unknown said...

The "netsh winhttp set proxy" command allows you set a "system wide proxy".

With this properly configured Root CA certificate download and CRL access will work through a proxy.


Unknown said...

Boris - thank you!!! This problem was effecting a whack of annoying browsing cert errors as well as preventing me from uploading pics to Google Picasa Web Albums.

Unknown said...

I was having trouble installing SQL Server Data Tools 2012 because of same issue.

I finally tried this solution and it works like breeze :-)

Thanks a bunch!

Doug Volz said...

Many thanks, with my Win 7 Pro, 64-Bit laptop, this just fixed my QuickBook Pro error, was not able to update Payroll due to a verisign cert problem, known to Quickbooks Pro Payroll users as the dreaded error 15223. Once I ran the rootsupd.exe program from microsoft the Payroll error went away. Doug

Black Towers Online said...

To Manually install the certificates

1. Download

2. Extract the files using the command rootsupd.exe /c /t:C:\temp\extroot

3. from c:\temp\extroot run the following 4 commands (from an elevated prompt)

updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst

4. Do a little dance

H. L. said...


Unknown said...
This comment has been removed by the author.
Unknown said...

thanks very much! This was very helpful (and Microsoft was spectacularly unhelpful).

Yousuf Haider said...

how to do it remotely.
when i ran "rootsupd.exe /c /t:C:\PS\rootsupd" it opens a dialog box and asking to overwrite.
can we run it silently by adding any parameters to auto select NO? I am trying to do it remotely but stuck in the dialog box option.