[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1436
  • Last Modified:

Problem with root certificate update

On all our XP machines the event log is getting pounded with the following error.

Event Type:      Error
Event Source:      crypt32
Event Category:      None
Event ID:      8
Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.

After researching the problem a bit, it looks like it most likely stems from the fact that we have Windows Update turned off as we use WSUS.  Does this mean we have to disabled the update root certificates on all the machines?  Is this something we can push with WSUS without having to disable the root cert update?
2 Solutions
Have you tried this:

1. In Control Panel, double-click Add/Remove Programs.
2. Click Add/Remove Windows Components.
3. Click to clear the Update Root Certificates check box, and then continue with the Windows Components Wizard.

This could also happen if some certificates at Microsoft has expired and need updates. Then the problem will disappear after some hours or days.
Donald StewartNetwork AdministratorCommented:
Use "Turn off Automatic Root Certificates Update"

ParanormasticCryptographic EngineerCommented:
The above information is likely to be the solution (to turn off auto root updates - this can be done via GPO - you may need the IE add-in template, etc.), here is a little bit of an explanation.

Root certificate updates do indeed go through Windows Update, so disabling that will prevent the root certificates from being updated.  Manual installation packages are available from here:

You should disable the automatic root certificate update as suggested to prevent errors.

Another possibility if Windows Update was enabled is if the Microsoft root certificate that manages Windows Update had expired.  Since you have updates blocked, I would not imagine this to be the case, and this issue is a couple years old now so does not come up frequently.  Likewise, other issues that could block access to updates could be the cause, such as malware, etc., but again nothing to worry about in your case for this issue.

If this is only happening on one or a couple machines, it may be that the client was accessing a secured website that had a certificate that was not already trusted and is trying to check for an updated list to see if it should be trusted now.  For XP, it would need to download the whole list, for Vista and newer it would only download the necessary new root cert.
rufustmacAuthor Commented:
Thanks, we turned it off via GPO and it's working fine now.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now