18 February 2011

Machines unable to automatically update root certificates fail on various applications


How to manually update a Windows machine trusted certificate store.

SSL certificates work in chains.

The lower certificate(red) has to trust the intermediary certificate (green) and that one on turn needs to trust the root certificate (Purple).  The trust is because the local machine can reference the trusted root certificate against the local one in the certificate store.   If however the root CA does not have a certificate in the local certificate store the chain will be broken and the certificate will not longer be trusted....


This doe not mean SSL will not work / encrypt  it just means that certain things will break, often unexpectedly or with strange error messages.

The reason you machine might not be updating the root certificates automatically could be that it is behind a corporate SUS server or that it has very limited internet access and cannot connect to the windows update servers.

There is hope though.  Because of limited update ability in Windows XP, Microsoft supplies root certificate update package for download.

You can download it from here : http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe

This file is periodically updates so the link should be good in the future too.

1 comment:

Post a Comment