Link to home
Start Free TrialLog in
Avatar of detox1978
detox1978Flag for United Kingdom of Great Britain and Northern Ireland

asked on

SSL certificate pack

Hi All,

I have setup a clean build of Windows 7 from DVD downloaded from Microsoft.

For some reason when I browse pretty much all SSL sites it says the certificate is invalid.  The time on the PC is correct.  It looks like the intermediate certificate / root certificate authorities are all missing.

Is there a pack somewhere I can download?

Thanks
Avatar of bbao
bbao
Flag of Australia image

are you using MSDN or VL version of Windows 7?
Avatar of detox1978

ASKER

VL
Avatar of btan
btan

You can run certmgr.msc to see if there are really all missing root and intermediate certificate. Update with Windows 7 Service Pack 1. Have the automatic updater

You may configure a file or web server to download the CTL files, and then use group policy to push them to your computer.

The list of trusted root certificates is available as a self-extracting IEXPRESS package in the Microsoft Download Center, the Windows catalog, or by using Windows Server Update Services (WSUS). IEXPRESS packages are released at the same time as the trusted CTL.
More details please refer to the article below:
Configure Trusted Roots and Disallowed Certificates
https://technet.microsoft.com/en-us/library/dn265983.aspx
And you should have the below update applied also:
An update is available that enables administrators to update trusted and disallowed CTLs in disconnected environments in Windows
https://support.microsoft.com/en-us/kb/2813430
Alternatively can update root cert using rootsupd
The customer who had the certificate issues didn’t provide clients with internet access. This was preventing the client from acquiring certificates trough Windows Update. Microsoft solves this with a tool called rootsupd.exe which will download and import all certificates that are part of the Root Certificate Program to the clients root certificates store.
The executable @
http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe

Another means from https://support.microsoft.com/en-sg/kb/2677070 on the link the cab files
A certificate trust list (CTL) is a predefined list of items that are signed by a trusted entity. All the items in the list are authenticated and approved by a trusted signing entity. This update expands on this existing functionality by adding known untrusted certificates to the untrusted certificate store by using a CTL that contains either their public key or their signature hash. After this update is installed, customers benefit from quick automatic updates of untrusted certificates.

Users who have disconnected systems will not benefit from this feature improvement. These customers will still have to install the root certificate updates when they are made available. Please see the "More Information" section.

As part of this update, the URLs that are used for contacting Windows Update to download the untrusted and trusted CTLs were changed. This could cause problems for enterprises that hardcode these URLs in their firewalls as exceptions.

The following are the new URLs:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Better to go through auto update where possible
please check if you have got this update installed? if not, install it. this Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows.

https://support.microsoft.com/en-au/kb/3004394
ASKER CERTIFIED SOLUTION
Avatar of btan
btan

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thanks,

Running this fixed the issue

certutil -generateSSTFromWU roots.sst