Solved

Self-Signed Certificated Removed from Workstations

Posted on 2016-08-01
16
49 Views
Last Modified: 2016-08-10
I have recently run into an issue where a self-signed certificated was removed from all workstation Trusted Roots Store. No scripts were run or GP's to pushed to do this. I have ready many of articles on this and mention that sometime Windows AutoUpdate Root Certs and delete a certificate. My theory is and this is out there our self-signed certificates Serial NUmber matched or partically matched that of a CRL on a CRL. My question is there some way to check the serial number of our certificate again MS CRL? What interval does MS use to have workstations automatically remove certificates, is this weekly, monthly , daily?
0
Comment
Question by:compdigit44
  • 10
  • 6
16 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41737961
Hey...

There is something important... independently of revocations, renewals, expirations, updates, etc. The certificates are never removed by the system from the store.

I better recommend that if you have that certificate somewhere and you need it, you just install it in your systems again, for example using a GPO.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41738170
We did do this but trying to understand why and how this one certificate went "missing"
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41738176
How did you installed it in the past? Was it using GPOs or with a different mehod?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41738183
is was pubished via SCCM... and not SCCM did not run and remove it..
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41738199
Hehehehe. Even if you want to remove it with SCCM it does not use the same logic used for adding it.

What method was used through SCCM? One cmd script created as a software package?

It os really interesting and misterious ... It was in all the PcS and later was not there at any one of them.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41738209
The self-signed cert was created via java keystore for code signing and was pushed via SCCM using a single line command to all workstation 2 months ago. Then yesterday "poof" this one certificate was gone.. .Now on the same evening it start I did decommission an only sub-ca which was not publishing any certs in our Domain and followed MS guidelines for decommission it. Please note this cert was not even know to the internal PKI servers. It is SO ODD!!!
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41739004
Any way to check to see i the self-signed certificates serial number is listed one of Microsoft's published CRL?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41739570
If it makes any difference the cert was generated using the Java Keystore tool and worked fine for 2 months then all of a sudden went missing
0
The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

 
LVL 19

Author Comment

by:compdigit44
ID: 41740003
Of course since the cert has gone missing I have not ben able to reproduce the issue.... but worried and trying to understand why it even happened in the first place
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41740687
Yeah, it does not make sense.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41741000
I know buy and ideas on how this might have happend...

 From my understanding it takes and "action" to remove a certificate.

Does MS use some type of checking to remove self-signed certs in the trusted root store? Any way to see if the cert if on a public CRL list... Again long shot
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41743517
Does anyone have any thoughts or suggestions on this since I am at a complete lost at this point and can provide to proof or explanation as to what happened.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41743625
On one hand, definitively the CRL inclusion of one certificate does not delete it.

Some general questions or details in order to consider some possibilities. Let's see, let's see what can we think about...

1. The digital certificate saved on 'Trusted Root Certification Authorities' was included on the 'user store', rather than the 'computer store'.

2. The digital certificate was stored in the personal container of a user and it was associated to compromised account, therefore the system deleted it. One example of this is if a user gets a digital certificate for file encryption, and an administrator resets the user password, as far as the system can consider that it is an attack, the system blows up the security personal certificates.

3. There was a corruption with the java keystone process used to implement the certificate. There are some well known cases where the application updating the certificates get corrupted, and sometimes deletes certificates from the Trusted Root Certification Authorities container. However, I did not see the application that you used in the list of well known tools that has caused similar issues.

4. You were very and extremely lucky and got a serial collision from another root certificate (But not a CRL as far as it just validates revocation. Of course, it is easier to get the LOTO and the lottery than this :P.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41744311
Do you have any documentation for item number 3......
0
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 500 total points
ID: 41744357
One example is RES Software, but in order to access their KB and get their documentation related to the improvements in their new versions it is necessary to create an account on https://success.ressoftware.com/

Some of their automatization products before the version v9.10.1.5 where having this problem.

One example is listed in this forum:
http://answers.microsoft.com/en-us/windows/forum/windows_vista-networking/certificate-disappears-from-trusted-root/202128ce-1926-4fb0-9872-b28b10db3e70

They tried resolving the problem using the KB932156: https://www.microsoft.com/en-us/download/details.aspx?id=2052

In the previously listed forum there is one user that specifies the problem with RES softwares:
RES Workspace Manager / RES ONE Workspace (prior to v9.10.1.5)
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41744825
These are very interesting articles. The self-signed cert was originally pushed via SCCM using the Local System account to the machine and not user and worked fine for a number of months without issue. We are using Windows 7 x64bit workstations and the application used by the certificate is accessed via the browser. We never had an issue like this before
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

First some basics on Windows 7 Backup.  It has 2 components one is a file based backup which is stored in .zip files each zip is split at around 200 Megabytes and there is the Image Backup which is as the name implies a total image of the partition …
Synchronize a new Active Directory domain with an existing Office 365 tenant
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum editing capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now