Wednesday, June 29, 2011

Automatic Root Certificates Update Insanity

I have no doubt that Microsoft was trying to solve a big problem when they came up with the Automatic Root Certificates Update solution. Ideally, with Automatic Root Certificates Update a PC/Server can keep the list of Root Certificate Authorities up to date on demand. Also, Automatic Root Certificate Update would allow for the addition of other Root Certificate Authorities that may not have been approved when the OS was first released.
Unfortunately, I have found that the Automatic Root Certificate Update solution creates some problems when there are customized properties on Trusted Root Certificates.

As an example, the proper installation of GoDaddy Intermediate Certificates requires the disabling or deletion of an existing Trusted Root Certificate.

NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.

So now you have a properly installed GoDaddy certificate, right? You won't for long.

At some point in the future the server will query Windows Update and realize that the disabled GoDaddy certificate is no longer enabled and it will update the certificate and re-enable it. There will be an Event Viewer message from the source of CAPI2.

A simple update of the Trusted Root certificate will not break your server software component that has that certificate assigned. The services will have to be restarted. Which means, at some point in the future when someone reboots the server suddenly things do not work and you have no idea why. This has been observed with both Lync Edge servers and Front End servers that were using GoDaddy certificates. Now that is fun.

So... yes we can disable Automatic Root Certificate Update, but there is a downside I've noticed. Much like on Windows Server 2003, we now have to download and install Trusted Root Certificates manually that are not part of the original OS.

Now you are thinking I will never go with GoDaddy certificate because of this. Guess what, I've personally seen an issue with Digicert and I've seen mention of Entrust based certificates also having issues with Automatic Root Certificate Update.
So... I don't have any really great answers for making this a non-issue at this point. If you do, please send me an email or send me a message on twitter.

Here is the procedure to disable Automatic Root Certificate Update.

Turn off Automatic Root Certificates Update

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

To turn off Automatic Root Certificates Update:

 Click Start, and then click Run. 
  1. Type gpedit.msc and then click OK.
  2. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  3. Double-click Administrative Templates, double-click System, double-click Internet Communication Management and then click Internet Communication settings.
  4. Double-click Turn off Automatic Root Certificates Update, click Enabled and then click OK.
  5. Close the Local Group Policy Editor.

No comments:

Post a Comment