Solved

Self-Signed Certificated Removed from Workstations

Posted on 2016-08-01
16
58 Views
Last Modified: 2016-08-10
I have recently run into an issue where a self-signed certificated was removed from all workstation Trusted Roots Store. No scripts were run or GP's to pushed to do this. I have ready many of articles on this and mention that sometime Windows AutoUpdate Root Certs and delete a certificate. My theory is and this is out there our self-signed certificates Serial NUmber matched or partically matched that of a CRL on a CRL. My question is there some way to check the serial number of our certificate again MS CRL? What interval does MS use to have workstations automatically remove certificates, is this weekly, monthly , daily?
0
Comment
Question by:compdigit44
  • 10
  • 6
16 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41737961
Hey...

There is something important... independently of revocations, renewals, expirations, updates, etc. The certificates are never removed by the system from the store.

I better recommend that if you have that certificate somewhere and you need it, you just install it in your systems again, for example using a GPO.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41738170
We did do this but trying to understand why and how this one certificate went "missing"
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41738176
How did you installed it in the past? Was it using GPOs or with a different mehod?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 19

Author Comment

by:compdigit44
ID: 41738183
is was pubished via SCCM... and not SCCM did not run and remove it..
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41738199
Hehehehe. Even if you want to remove it with SCCM it does not use the same logic used for adding it.

What method was used through SCCM? One cmd script created as a software package?

It os really interesting and misterious ... It was in all the PcS and later was not there at any one of them.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41738209
The self-signed cert was created via java keystore for code signing and was pushed via SCCM using a single line command to all workstation 2 months ago. Then yesterday "poof" this one certificate was gone.. .Now on the same evening it start I did decommission an only sub-ca which was not publishing any certs in our Domain and followed MS guidelines for decommission it. Please note this cert was not even know to the internal PKI servers. It is SO ODD!!!
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41739004
Any way to check to see i the self-signed certificates serial number is listed one of Microsoft's published CRL?
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41739570
If it makes any difference the cert was generated using the Java Keystore tool and worked fine for 2 months then all of a sudden went missing
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41740003
Of course since the cert has gone missing I have not ben able to reproduce the issue.... but worried and trying to understand why it even happened in the first place
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41740687
Yeah, it does not make sense.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41741000
I know buy and ideas on how this might have happend...

 From my understanding it takes and "action" to remove a certificate.

Does MS use some type of checking to remove self-signed certs in the trusted root store? Any way to see if the cert if on a public CRL list... Again long shot
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41743517
Does anyone have any thoughts or suggestions on this since I am at a complete lost at this point and can provide to proof or explanation as to what happened.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41743625
On one hand, definitively the CRL inclusion of one certificate does not delete it.

Some general questions or details in order to consider some possibilities. Let's see, let's see what can we think about...

1. The digital certificate saved on 'Trusted Root Certification Authorities' was included on the 'user store', rather than the 'computer store'.

2. The digital certificate was stored in the personal container of a user and it was associated to compromised account, therefore the system deleted it. One example of this is if a user gets a digital certificate for file encryption, and an administrator resets the user password, as far as the system can consider that it is an attack, the system blows up the security personal certificates.

3. There was a corruption with the java keystone process used to implement the certificate. There are some well known cases where the application updating the certificates get corrupted, and sometimes deletes certificates from the Trusted Root Certification Authorities container. However, I did not see the application that you used in the list of well known tools that has caused similar issues.

4. You were very and extremely lucky and got a serial collision from another root certificate (But not a CRL as far as it just validates revocation. Of course, it is easier to get the LOTO and the lottery than this :P.
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41744311
Do you have any documentation for item number 3......
0
 
LVL 14

Accepted Solution

by:
Schnell Solutions earned 500 total points
ID: 41744357
One example is RES Software, but in order to access their KB and get their documentation related to the improvements in their new versions it is necessary to create an account on https://success.ressoftware.com/

Some of their automatization products before the version v9.10.1.5 where having this problem.

One example is listed in this forum:
http://answers.microsoft.com/en-us/windows/forum/windows_vista-networking/certificate-disappears-from-trusted-root/202128ce-1926-4fb0-9872-b28b10db3e70

They tried resolving the problem using the KB932156: https://www.microsoft.com/en-us/download/details.aspx?id=2052

In the previously listed forum there is one user that specifies the problem with RES softwares:
RES Workspace Manager / RES ONE Workspace (prior to v9.10.1.5)
0
 
LVL 19

Author Comment

by:compdigit44
ID: 41744825
These are very interesting articles. The self-signed cert was originally pushed via SCCM using the Local System account to the machine and not user and worked fine for a number of months without issue. We are using Windows 7 x64bit workstations and the application used by the certificate is accessed via the browser. We never had an issue like this before
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A safe way to clean winsxs folder from your windows server 2008 R2 editions
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question