Fix available for Root Certificate Update issue on Windows Server

Fix available for Root Certificate Update issue on Windows Server

  • Comments 5
  • Likes

InformationAs explained in KB 931125, a package that was intended only for client operating systems was also made available to servers through WSUS and Windows Update. This package is designed to update the store of trusted root certificates, and adds a large number of certificates to the store. Windows Vista and later automatically update their own stores, but Windows XP requires regular updates.

The issue is this: the SChannel security package used to send trusted certificates to clients has a limit of 16KB. Therefore, having too many certificates in the store can prevent TLS servers from sending needed certificate information; they start sending but have to stop when they reach 16KB.  If clients don’t have the right certificate information, they cannot use services requiring TLS for authentication.  Because the root certificate update package available in KB 931125 manually adds a large number of certificates to the store, applying it to servers results in the store exceeding the 16KB limit and the potential for failed TLS authentication.

For more details and information on how to fix this issue please see the following:

Fix available for Root Certificate Update issue on Windows Server (http://blogs.technet.com/b/windowsserver/archive/2013/01/12/fix-available-for-root-certificate-update-issue-on-windows-server.aspx)

J.C. Hornbeck | Knowledge Engineer | Management and Security Division

Get the latest System Center news on Facebook and Twitter:

clip_image001 clip_image002

System Center All Up: http://blogs.technet.com/b/systemcenter/
System Center – Configuration Manager Support Team blog: http://blogs.technet.com/configurationmgr/
System Center – Data Protection Manager Team blog: http://blogs.technet.com/dpm/
System Center – Orchestrator Support Team blog: http://blogs.technet.com/b/orchestrator/
System Center – Operations Manager Team blog: http://blogs.technet.com/momteam/
System Center – Service Manager Team blog: http://blogs.technet.com/b/servicemanager
System Center – Virtual Machine Manager Team blog: http://blogs.technet.com/scvmm

Windows Intune: http://blogs.technet.com/b/windowsintune/
WSUS Support Team blog: http://blogs.technet.com/sus/
The AD RMS blog: http://blogs.technet.com/b/rmssupp/

App-V Team blog: http://blogs.technet.com/appv/
MED-V Team blog: http://blogs.technet.com/medv/
Server App-V Team blog: http://blogs.technet.com/b/serverappv

The Forefront Endpoint Protection blog : http://blogs.technet.com/b/clientsecurity/
The Forefront Identity Manager blog : http://blogs.msdn.com/b/ms-identity-support/
The Forefront TMG blog: http://blogs.technet.com/b/isablog/
The Forefront UAG blog: http://blogs.technet.com/b/edgeaccessblog/

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Good information.  

    Thank you.

  • Good news - but bad implementation because it deletes ALL 3rd party certificates.

    In my opinion this is no fix. Why ist Microsoft incapable to clean only the additional certificates from this Update (KB931125)?

    Recently, Microsoft Updates have poor quality :-(

  • Nice in a word

  • Another Solution:

    Remove JUST the Certificates that were added by MS in Dec 2012.

    • Obtain a copy of KB 931125 from Dec 2012 from MS

    • Use WinRAR to export the KB contents to a directory

    • Use the UpdRoots.EXE and the .SSTs to remove the CERTs added by KB 931125

    "UpdRoots.EXE -d AuthRoots.sst" – for the Root CERTs

    "UpdRoots.EXE -d UpdRoots.sst" - for the updated CERTs

    "UpdRoots.EXE -d Roots.sst" - for the Local Machine CERTs

  • FOOL BLADY