Solved

SSL certificate pack

Posted on 2016-10-29
6
364 Views
Last Modified: 2016-11-01
Hi All,

I have setup a clean build of Windows 7 from DVD downloaded from Microsoft.

For some reason when I browse pretty much all SSL sites it says the certificate is invalid.  The time on the PC is correct.  It looks like the intermediate certificate / root certificate authorities are all missing.

Is there a pack somewhere I can download?

Thanks
0
Comment
Question by:detox1978
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
6 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 41865186
are you using MSDN or VL version of Windows 7?
0
 
LVL 2

Author Comment

by:detox1978
ID: 41865190
VL
0
 
LVL 63

Expert Comment

by:btan
ID: 41865216
You can run certmgr.msc to see if there are really all missing root and intermediate certificate. Update with Windows 7 Service Pack 1. Have the automatic updater

You may configure a file or web server to download the CTL files, and then use group policy to push them to your computer.

The list of trusted root certificates is available as a self-extracting IEXPRESS package in the Microsoft Download Center, the Windows catalog, or by using Windows Server Update Services (WSUS). IEXPRESS packages are released at the same time as the trusted CTL.
More details please refer to the article below:
Configure Trusted Roots and Disallowed Certificates
https://technet.microsoft.com/en-us/library/dn265983.aspx
And you should have the below update applied also:
An update is available that enables administrators to update trusted and disallowed CTLs in disconnected environments in Windows
https://support.microsoft.com/en-us/kb/2813430
Alternatively can update root cert using rootsupd
The customer who had the certificate issues didn’t provide clients with internet access. This was preventing the client from acquiring certificates trough Windows Update. Microsoft solves this with a tool called rootsupd.exe which will download and import all certificates that are part of the Root Certificate Program to the clients root certificates store.
The executable @
http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe

Another means from https://support.microsoft.com/en-sg/kb/2677070 on the link the cab files
A certificate trust list (CTL) is a predefined list of items that are signed by a trusted entity. All the items in the list are authenticated and approved by a trusted signing entity. This update expands on this existing functionality by adding known untrusted certificates to the untrusted certificate store by using a CTL that contains either their public key or their signature hash. After this update is installed, customers benefit from quick automatic updates of untrusted certificates.

Users who have disconnected systems will not benefit from this feature improvement. These customers will still have to install the root certificate updates when they are made available. Please see the "More Information" section.

As part of this update, the URLs that are used for contacting Windows Update to download the untrusted and trusted CTLs were changed. This could cause problems for enterprises that hardcode these URLs in their firewalls as exceptions.

The following are the new URLs:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Better to go through auto update where possible
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 37

Expert Comment

by:bbao
ID: 41865240
please check if you have got this update installed? if not, install it. this Windows Root Certificate Program enables trusted root certificates to be distributed automatically in Windows.

https://support.microsoft.com/en-au/kb/3004394
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41865579
To add on for my post, which also menrioned below. You can also

- use certutil to grab all the trusted root certificates from the Windows Update server:
    certutil -generateSSTFromWU roots.sst
- open roots.sst (which defaults to viewing in certmgr) and it will show the whole lot.

Or use certutil -syncWithWU to get all the certs individually.

Alternatively,for the trusted CTL,
- download http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab,
- extract the authroot.stl file (which is in PKCS#7 format, the .cab can be open in explorer to get the stl extracted),
- use 'certutil -dump' to list all the subject key identifiers therein (e.g.  OCTET STRING      [HEX DUMP]:CDD4EEAE6000AC7F40C3802C171E30148030C072),
- download them from the same location as authrootstl.cab by appending ".crt" to the identifier. (e.g. http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/CDD4EEAE6000AC7F40C3802C171E30148030C072.crt)
- repeat for the rest of the certificate in the dump from the certutil output

You can do it for the untrusted (disallowed) CTL and others below as well.
(as shared) •authrootstl.cab, which contains a non-Microsoft CTL
(using the link shared in my first post)•disallowedcertstl.cab, which contains a CTL with untrusted certificates
(other)•disallowedcert.sst, which contains a serialized certificate store, including untrusted certificates
(others)•<thumbprint>.crt, which contains non-Microsoft root certificates


The above it is manual way otherwise just
- download  http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe
- install the updated root certs.
0
 
LVL 2

Author Comment

by:detox1978
ID: 41868961
Thanks,

Running this fixed the issue

certutil -generateSSTFromWU roots.sst
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question