Today Secunia PSI refused to run with the message: "an error occurred while verifying the security certificate". Then I found that IE refused to show https://secunia.com because the certificate was "not issued by a trusted certificate authority". Firefox did not have a problem with that webpage. For some reason, IE did not recognize the "Thawte Server CA" certificate. IE also refused to recognize StartSSL.
This was really weird, because as far as I know, Windows 7 is supposed to automatically update root certificates. Microsoft even explains how the process works in Vista. My first thought was that my firewall was blocking the update, but that was not it. Event log showed event 4100 from CAPI2, which is "Successful auto update retrieval of third-party root certificate". The problem was event 4110: "Failed to add certificate to Third-Party Root Certification Authorities store with error: A certificate chain could not be built to a trusted root authority."
I manually downloaded and installed the latest root certificate update from Windows Update. After that, everything works. I'm just left wondering why I had to deal with this in the first place.
Subscribe to:
Post Comments (Atom)
22 comments:
I think this may be because Cryptographic Services (CryptSvc) was unable to access the Internet because of the firewall. Its description says that it includes the "Automatic Root Certificate Update Service, which retrieves root certificates from Windows Update".
There are CAPI2 events relating to downloading and unpacking a root certificates .CAB file, and those do not appear in my event log.
Thank you for this post, run into the same problem today and found the solution here =)
Have a nice day !
Urgh.. we spent some time going round in circles with this earlier after rolling out a few Win7 clients on our 2008R2 domain.
Resolved (after much faff & the help of your post :) by granting access to the Windows Update domains (.windowsupdate.com and .microsoft.com). Poking around it looks like the Crypto service is using wuauclt.exe to fetch the certs. Since we're using an internal WSUS, have 80/443 closed at the FW, and Win7 clients operating through a proxy (without winhttp set), it wasn't getting anywhere...
Also noticed that the Update for Root Certificates (KB931125) is not published for the Win7 Product in WSUS, only XP.
We too have the same problem as we're behind an ISA 2006 firewall (I thought I was going mad).
At the moment we've poked a hole through our firewall to permit unadulterated access to microsoft.com and the windows update website. This is undesired and I'm amazed that there is so little on this issue around the internet.
Will look to raising awareness over the next few days. Might even raise a PSS call if we can avoid the cost.
This one had me pulling my hair out as well! (Again, firewalled outbound traffic, internal WSUS, proxy, etc.)
Jeez i spent 2 weeks with this problem. Ran the update and it worked like magic.
Thanks guys
Tnx !!!!
Its really works !
I was tring almost evrything including formatting my PC , re-install my firewall and so on ...
Now its work beutifully :)
Now I only have one problem left to solve in Win7 Ent: Installing the whale communication to my work IAG.
You saved me a lot of time! Huge thanx!
thanks for the post. i have issues with gtalk and windows update on windows 7. but all went OK after the update.
Gracias, ya iva a reinstalar el Windows 7, me haz ayudado bastante, y ahorre un tiempo valioso, gracias nuevamente
Thanks A lot for your help.
I am searching for any answer to not logging into MSN Messenger for many reasons but after the update every thing is OK.
Thanks again for your help
Nader Nabil
Cairo, EGYPT
I just had another problem: digital signatures of Adobe Flash Player 10.0.45.2 installation files could not be verified. This time I enabled logging in Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational. There I saw that requests from explorer.exe were failing. I temporarily allowed explorer.exe through the outgoing firewall and I was able to verify the signatures.
The May 2010 root certificate update is now available at the same place: http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe
The "netsh winhttp set proxy" command allows you set a "system wide proxy".
With this properly configured Root CA certificate download and CRL access will work through a proxy.
Regards,
Antoine
Boris - thank you!!! This problem was effecting a whack of annoying browsing cert errors as well as preventing me from uploading pics to Google Picasa Web Albums.
I was having trouble installing SQL Server Data Tools 2012 because of same issue.
I finally tried this solution and it works like breeze :-)
Thanks a bunch!
Madhan
Many thanks, with my Win 7 Pro, 64-Bit laptop, this just fixed my QuickBook Pro error, was not able to update Payroll due to a verisign cert problem, known to Quickbooks Pro Payroll users as the dreaded error 15223. Once I ran the rootsupd.exe program from microsoft the Payroll error went away. Doug
To Manually install the certificates
1. Download http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe
2. Extract the files using the command rootsupd.exe /c /t:C:\temp\extroot
3. from c:\temp\extroot run the following 4 commands (from an elevated prompt)
updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst
4. Do a little dance
THX!
thanks very much! This was very helpful (and Microsoft was spectacularly unhelpful).
how to do it remotely.
when i ran "rootsupd.exe /c /t:C:\PS\rootsupd" it opens a dialog box and asking to overwrite.
can we run it silently by adding any parameters to auto select NO? I am trying to do it remotely but stuck in the dialog box option.
Post a Comment