This is the Windows Server Update Services support team blog. We cover all things relating to WSUS and Windows Update.
As explained in KB 931125, a package that was intended only for client operating systems was also made available to servers through WSUS and Windows Update. This package is designed to update the store of trusted root certificates, and adds a large number of certificates to the store. Windows Vista and later automatically update their own stores, but Windows XP requires regular updates.
The issue is this: the SChannel security package used to send trusted certificates to clients has a limit of 16KB. Therefore, having too many certificates in the store can prevent TLS servers from sending needed certificate information; they start sending but have to stop when they reach 16KB. If clients don’t have the right certificate information, they cannot use services requiring TLS for authentication. Because the root certificate update package available in KB 931125 manually adds a large number of certificates to the store, applying it to servers results in the store exceeding the 16KB limit and the potential for failed TLS authentication.
For more details and information on how to fix this issue please see the following:
Fix available for Root Certificate Update issue on Windows Server (http://blogs.technet.com/b/windowsserver/archive/2013/01/12/fix-available-for-root-certificate-update-issue-on-windows-server.aspx)
J.C. Hornbeck | Knowledge Engineer | Management and Security Division
Get the latest System Center news on Facebook and Twitter:
System Center All Up: http://blogs.technet.com/b/systemcenter/ System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/ System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/ System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/ System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/ System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm
Windows Intune: http://blogs.technet.com/b/windowsintune/ WSUS Support Team blog: http://blogs.technet.com/sus/ The AD RMS blog: http://blogs.technet.com/b/rmssupp/
The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/ The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/ The Forefront TMG blog: http://blogs.technet.com/b/isablog/ The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/
Good news - but bad implementation because it deletes ALL 3rd party certificates.
In my opinion this is no fix. Why ist Microsoft incapable to clean only the additional certificates from this Update (KB931125)?
Recently, Microsoft Updates have poor quality :-(
Nice in a word
Remove JUST the Certificates that were added by MS in Dec 2012.
• Obtain a copy of KB 931125 from Dec 2012 from MS
• Use WinRAR to export the KB contents to a directory
• Use the UpdRoots.EXE and the .SSTs to remove the CERTs added by KB 931125
"UpdRoots.EXE -d AuthRoots.sst" – for the Root CERTs
"UpdRoots.EXE -d UpdRoots.sst" - for the updated CERTs
"UpdRoots.EXE -d Roots.sst" - for the Local Machine CERTs