16 February 2011

Windows Server 2003 trusted root certificate authority not updated

Certificates work in chains, each certificate has to trust the issuing CA, if it cannot trust it all the way to the root the certificate is not trusted.

I had a Windows 2003 server that gave me this issue when attempting to use and SSL hosted API.

When connecting to their site with IE as part of troubleshooting I got this as a result


The problem was the root CA was not trusted.  Normally this list of trusted CA is automatically updated through the Windows Update and other methods.

To fix this issue I had to manually download and install the trusted root for the application to work.

(Brows to CA' site, download trusted root cert.  Import on the 2003 server.)

The reason it is not updated is stated here

Windows Server 2003, Windows Server 2008, Windows Server 2008 R2

The automatic root update mechanism is enabled on Windows Server 2008 and later, but not on Windows Server 2003.  Windows Server 2003 supports the automatic root update mechanism only partially, equivalent to the support on Windows XP.  And since the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs.  However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions. 

If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs increases significantly in size and may cause the list to grow too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885.  In Windows Server 2003, the issuer list cannot be greater than 0x3000.  For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base: 933430  Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003. 

Sounds kind of complex.

If you want to read more check out the full article that cover some interesting update differenced between XP 2003 2008 and Windows 7 check out http://support.microsoft.com/kb/931125

No comments:

Post a Comment