Configure Trusted Roots and Disallowed Certificates
Configure Trusted Roots and Disallowed Certificates
Updated: May 5, 2014
Applies To: Windows 8.1, Windows Server 2012 R2
The Windows Server 2012 R2, Windows Server 2012, Windows 8.1, and Windows 8 operating systems include an automatic update mechanism that downloads certificate trust lists (CTLs) on a daily basis. In Windows Server 2012 R2 and Windows 8.1, additional capabilities are available to control how the CTLs are updated.
Important |
---|
Software updates are available for Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista. To provide the enhancements of the automatic update mechanism that are discussed in this document, apply the following updates:
|
The Microsoft Root Certificate Program enables distribution of trusted root certificates within Windows operating systems. For more information about the list of members in Windows Root Certificate Program, see Windows Root Certificate Program - Members List (All CAs).
Trusted root certificates are meant to be placed in the Trusted Root Certification Authorities certificate of the Windows operating systems. These certificates are trusted by the operating system and can be used by applications as a reference for which public key infrastructure (PKI) hierarchies and digital certificates that are trustworthy. There are two methods for distributing trusted root certificates:
Automatic: The list of trusted root certificates is stored in a CTL. Client computers access the Windows Update site by using the automatic update mechanism to update this CTL.
Note The list of trusted root certificates is called the trusted CTL.
Manual: The list of trusted root certificates is available as a self-extracting IEXPRESS package in the Microsoft Download Center, the Windows catalog, or by using Windows Server Update Services (WSUS). IEXPRESS packages are released at the same time as the trusted CTL.
Note |
---|
For more information about these update methods, see document 931125 in the Microsoft Knowledge Base. |
Untrusted certificates are certificates that are publicly known to be fraudulent. Similar to the trusted CTL, there are two mechanisms that are used to distribute a list of untrusted certificates:
Automatic: The list of untrusted certificates is stored in a CTL. Client computers access the Windows Update site by using the automatic update mechanism to update this CTL.
Note A list of untrusted certificates is called an untrusted CTL. For more information, see Announcing the automated updater of untrustworthy certificates and keys.
Manual: The list of untrusted certificates comes as a self-extracting IEXPRESS package in a mandatory security Windows Update.
Prior to Windows Server 2012 R2 and Windows 8.1 (or the installation of the software update, as previously discussed), the same registry setting controlled updates for trusted root certificates and untrusted certificates. An administrator could not selectively enable or disable one or the other. This resulting in the following challenges:
If the organization was in a disconnected environment, the only method for updating CTLs was to use IEXPRESS packages.
Note A computer network where the computers do not have the ability to access the Windows Update site is considered a disconnected environment in this document.
The IEXPRESS update method is mostly a manual process. Further, the IEXPRESS package may not be immediately available when the CTL is released, so there could be an additional lag for installing these updates when using this method.
Although disabling automatic updates for trusted CTLs is recommended for administrators who manage their lists of trusted root certificates (in disconnected or connected environments), disabling automatic updates of untrusted CTLs is not recommended.
For more information, see Controlling the Update Root certificate Certificates Feature to Prevent the Flow of Information to and from the Internet.
Because there was not a method for network administrators to view and extract only the trusted root certificates in a trusted CTL, managing a customized list of trusted certificates was difficult task.
The following improved automatic update mechanisms for a disconnected environment are available in Windows Server 2012 R2 and Windows 8.1 or when the appropriate software update is installed:
Registry settings for storing CTLs New settings enable changing the location for uploading trusted or untrusted CTLs from the Windows Update site to a shared location in an organization. For more information, see the Registry settings modified section.
Synchronization options If the URL for the Windows Update site is moved to a local shared folder, the local shared folder must be synchronized with the Windows Update folder. This software update adds a set of options in the Certutil tool that administrators can use to enable synchronization. For more information, see the New Certutil Options section.
Tool to select trusted root certificates This software update introduces a tool for administrators who manage the set of trusted root certificates in their enterprise environment. Administrators can view and select the set of trusted root certificates, export them to a serialized certificate store, and distribute them by using Group Policy. For more information, see the New Certutil Options section in this document.
Independent configurability The automatic update mechanism for trusted and untrusted certificates are independently configurable. This enables administrators to use the automatic update mechanism to download only the untrusted CTLs and manage their own list of trusted CTLs. For more information, see the Registry settings modified section in this document.
In Windows Server 2012 R2 and Windows 8.1 (or by installing the previously mentioned software updates on supported operating systems), an administrator can configure a file or web server to download the following files by using the automatic update mechanism:
authrootstl.cab, which contains a non-Microsoft CTL
disallowedcertstl.cab, which contains a CTL with untrusted certificates
disallowedcert.sst, which contains a serialized certificate store, including untrusted certificates
thumbprint.crt, which contains non-Microsoft root certificates
The steps to perform this configuration are described in the Configure a file or web server to download the CTL files section of this document.
By using Windows Server 2012 R2 and Windows 8.1 (or by installing the previously mentioned software updates on supported operating systems), an administrator can:
Configure Active Directory Domain Services (AD DS) domain member computers to use the automatic update mechanism for trusted and untrusted CTLs, without having access to the Windows Update site. This configuration is described in the Redirect the Microsoft Automatic Update URL for a disconnected environment section of this document.
Configure AD DS domain member computers to independently opt-in for untrusted and trusted CTL automatic updates. This configuration is described in the Redirect the Microsoft Automatic Update URL for untrusted CTLs only section of this document.
Examine the set of root certificates in the Windows Root Certificate Program. This enables administrators to select a subset of certificates to distribute by using a Group Policy Object (GPO). This is configuration is described in the Use a subset of the trusted CTLs section of this document.
Important |
---|
|
To facilitate the distribution of trusted or untrusted certificates for a disconnected environment, you must first configure a file or web server to download the CTL files from the automatic update mechanism.
Tip |
---|
The configuration described in this section is not needed for environments where computers are able to connect to the Windows Update site directly. Computers that can connect to the Windows Update site are able to receive updated CTLs on a daily basis (if they are running Windows Server 2012, Windows 8, or the previously mentioned software updates are installed on supported operating systems). For more information, see document 2677070 in the Microsoft Knowledge Base. |
To configure a server that has access to the Internet to retrieve the CTL files
Create a shared folder on a file or web server that is able to synchronize by using the automatic update mechanism and that you want to use to store the CTL files.
Tip Before you begin, you may have to adjust the shared folder permissions and NTFS folder permissions to allow the appropriate account access, especially if you are using a scheduled task with a service account. For more information on adjusting permissions see Managing Permissions for Shared Folders.
From an elevated command prompt, run the following command:
CopyCertutil -syncWithWU \\<server>\<share>
Substitute the actual server name for <server> and shared folder name for <share>. For example, if you run this command for a server named Server1 with a shared folder named CTL, you would run the command:
CopyCertutil -syncWithWU \\Server1\CTL
Download the CTL files on a server that computers on a disconnected environment can access over the network by using a FILE path (for example, FILE://\\Server1\CTL) or an HTTP path (for example, HTTP://Server1/CTL).
Note |
---|
|
If the computers in your network are configured in a domain environment and they are unable to use the automatic update mechanism or download CTLs, you can implement a GPO in AD DS to configure those computers to obtain the CTL updates from an alternate location.
Note |
---|
The configuration in this section requires that you have already completed the steps in Configure a file or web server to download the CTL files. |
To configure a custom administrative template for a GPO
On a domain controller, create a new administrative template. You can start this as a text file and then change the file name extension to .adm. The contents of the file should be as follows:
CopyCLASS MACHINE
CATEGORY !!SystemCertificates
KEYNAME "Software\Microsoft\SystemCertificates\AuthRoot\AutoUpdate"
POLICY !!RootDirURL
EXPLAIN !!RootDirURL_help
PART !!RootDirURL EDITTEXT
VALUENAME "RootDirURL"
END PART
END POLICY
END CATEGORY
[strings]
RootDirURL="URL address to be used instead of default ctldl.windowsupdate.com"
RootDirURL_help="Enter a FILE or HTTP URL to use as the download location of the CTL files."
SystemCertificates="Windows AutoUpdate Settings"Use a descriptive name to save the file, such as RootDirURL.adm.
Tip - Ensure that the file name extension is .adm and not .txt.
- If you have not already enabled file name extension viewing, see How To: View File Name Extensions.
- If you save the file to the %windir%\inf folder, it will be easier to locate in the following steps.
Open the Group Policy Management Editor.
If you are using Windows Server 2008 R2 or Windows Server 2008, click Start, and then click Run.
If you are using Windows Server 2012 R2 or Windows Server 2012, press the Windows key plus the R key simultaneously.
Type GPMC.msc, and then press ENTER.
Caution You can link a new GPO to the domain or to any organizational unit (OU). The GPO modifications implemented in this document alter the registry settings of the affected computers. You cannot undo these settings by deleting or unlinking the GPO. The settings can only be undone by reversing them in the GPO settings or by modifying the registry using another technique.
In the Group Policy Management console, expand the Forest object, expand the Domains object, and then expand the specific domain that contains the computer accounts that you want to change. If you have a specific OU that you want to modify, then navigate to that location. Click an existing GPO or right-click and then click Create a GPO in this domain, and Link it here to create a new GPO. Right-click the GPO you want to modify and then click Edit.
In the navigation pane, under Computer Configuration, expand Policies.
Right-click Administrative Templates, and then click Add/Remove Templates.
In Add/Remove Templates, click Add. In the Policy Templates dialog box, select the .adm template that you previously saved. Click Open, and then click Close.
In the navigation pane, expand Administrative Templates, and then expand Classic Administrative Templates (ADM).
Click Windows AutoUpdate Settings, and in the details pane, double-click URL address to be used instead of default ctldl.windowsupdate.com.
Select Enabled. In the Options section, enter the URL to the file server or web server that contains the CTL files. For example, http://server1/CTL or file://\\server1\CTL. Click OK. Close the Group Policy Management Editor.
The policy is effective immediately, but the client computers must be restarted to receive the new settings, or you can type gpupdate /force from an elevated command prompt or from Windows PowerShell.
Important |
---|
The trusted and untrusted CTLs can be updated on a daily basis, so ensure that you keep the files synchronized by using a scheduled task or another method (such as a script that handles error conditions) to update the shared folder or web virtual directory. For additional details about creating a scheduled task, see Schedule a Task. If you plan to write a script to make daily updates, see the New Certutil Options and Potential errors with Certutil -SyncWithWU sections of this document. These sections provide more information about command options and the error conditions. |
Some organizations may want only the untrusted CTLs (not the trusted CTLs) to be automatically updated. To accomplish this, you can create two .adm templates to add to Group Policy.
Important |
---|
|
To selectively redirect only untrusted CTLs
On a domain controller, create the first new administrative template by starting with a text file and then changing the file name extension to .adm. The contents of the file should be as follows:
CopyCLASS MACHINE
CATEGORY !!SystemCertificates
KEYNAME "Software\Policies\Microsoft\SystemCertificates\AuthRoot"
POLICY !!DisableRootAutoUpdate
EXPLAIN !!Certificates_config
VALUENAME "DisableRootAutoUpdate"
VALUEON NUMERIC 0
VALUEOFF NUMERIC 1 END POLICY
END CATEGORY
[strings]
DisableRootAutoUpdate="Auto Root Update"
Certificates_config="By default automatic updating of the trusted CTL is enabled. To disable the automatic updating trusted CTLe, select Disabled."
SystemCertificates="Windows AutoUpdate Settings"Use a descriptive name to save the file, such as DisableAllowedCTLUpdate.adm.
Create a second new administrative template. The contents of the file should be as follows:
CopyCLASS MACHINE
CATEGORY !!SystemCertificates
KEYNAME "Software\Policies\Microsoft\SystemCertificates\AuthRoot"
POLICY !!EnableDisallowedCertAutoUpdate
EXPLAIN !!Certificates_config
VALUENAME "EnableDisallowedCertAutoUpdate"
VALUEON NUMERIC 1
VALUEOFF NUMERIC 0 END POLICY
END CATEGORY
[strings]
EnableDisallowedCertAutoUpdate="Untrusted CTL Automatic Update"
Certificates_config="By default untrusted CTL automatic update is enabled. To disable trusted CTL update, select Disabled."
SystemCertificates="Windows AutoUpdate Settings"Use a descriptive file name to save the file, such as EnableUntrustedCTLUpdate.adm.
Tip - Ensure that the file name extensions of these files are .adm and not .txt.
- If you have not already enabled file name extension viewing, see How To: View File Name Extensions.
- If you save the file to the %windir%\inf folder, it will be easier to locate in the following steps.
Open the Group Policy Management Editor.
In the Group Policy Management console, expand the Forest, Domains, and specific domain object that you want to modify. Right-click the Default Domain Policy GPO, and then click Edit.
In the navigation pane, under Computer Configuration, expand Policies.
Right-click Administrative Templates, and then click Add/Remove Templates.
In Add/Remove Templates, click Add. Use the Policy Templates dialog box to select the .adm templates that you previously saved. (You can hold the CTRL key, and click each file to select both.) Click Open, and then click Close.
In the navigation pane, expand Administrative Templates and then expand Classic Administrative Templates (ADM).
Click Windows AutoUpdate Settings and then in the details pane, double-click Auto Root Update.
Select Disabled. This setting prevents the automatic update of the trusted CTLs. Click OK.
In the details pane, double-click Untrusted CTL Automatic Update. Select Enabled. Click OK.
The policy is effective immediately, but the client computers must be restarted to receive the new settings, or you can type gpupdate /force from an elevated command prompt or from Windows PowerShell.
Important |
---|
The trusted and untrusted CTLs can be updated on a daily basis, so ensure that you keep the files synchronized by using a scheduled task or another method to update the shared folder or virtual directory. |
This section describes how you can produce, review, and filter the trusted CTLs that you want computers in your organization to use. You must implement the GPOs described in the previous procedures to make use of this resolution. This resolution is available for disconnected and connected environments.
There are two procedures to complete to customize the list of trusted CTLs.
Create a subset of trusted certificates
Distribute the trusted certificates by using Group Policy
To create a subset of trusted certificates
From a computer that is connected to the Internet, open Windows PowerShell as an Administrator or open an elevated command prompt, and type the following command:
CopyCertutil -generateSSTFromWU WURoots.sst
You can run the following command in Windows Explorer to open the WURoots.sst:
Copystart explorer.exe wuroots.sst
Tip You can also use Internet Explorer to navigate to the file and double-click it to open it. Depending on where you stored the file, you may also be able to open it by typing
wuroots.sst
.In the navigation pane of Certificate Manager, expand the file path under Certificates -Current User until you see Certificates, and then click Certificates.
In the details pane, you can see the trusted certificates. Hold down the CTRL key and click each of the certificates that you want to allow. When you have finished selecting the certificates you want to allow, right-click one of the selected certificates, click All Tasks, and then click Export.
Important You must select a minimum of two certificates to export the .sst file type. If you select only one certificate, the .sst file type is not available and the .cer file type is selected instead.
In the Certificate Export Wizard, click Next.
On the Export File Format page, select Microsoft Serialized Certificate Store (.SST), and then click Next.
On the File to Export page, enter a file path and an appropriate name for the file, such as C:\AllowedCerts.sst, and then click Next. Click Finish. When you are notified that the export was successful, click OK.
Copy the .sst file that you created to a domain controller.
To distribute the list of trusted certificates by using Group Policy
On the domain controller that has the customized .sst file, open the Group Policy Management Editor.
In the Group Policy Management console, expand the Forest, Domains, and specific domain object that you want to modify. Right-click Default Domain Policy GPO, and then click Edit.
In the navigation pane, under Computer Configuration, expand Policies, expand Windows Settings, expand Security Settings, and then expand Public Key Policies.
Right-click Trusted Root Certification Authorities, and then click Import.
In the Certificate Import Wizard, click Next.
Enter the path and file name of the file that you copied to the domain controller, or use the Browse button to locate the file. Click Next.
Confirm that you want to place these certificates in the Trusted Root Certification Authorities certificate store by clicking Next. Click Finish. When you are notified that the certificates imported successfully, click OK.
Close the Group Policy Management Editor.
The policy is effective immediately, but the client computers must be restarted to receive the new settings, or you can type gpupdate /force from an elevated command prompt or from Windows PowerShell.
The settings described in this document configure the following registry keys on the client computers. These settings are not automatically removed if the GPO is unlinked or removed from the domain. These settings must be specifically reconfigured, if you want to change them.
Registry keys | Value and Description |
---|---|
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate | A value of 1 disables the Windows AutoUpdate of the trusted CTL. |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdate | A value of 1 enables the Windows AutoUpdate of the untrusted CTL. |
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl | Configures the shared location (the HTTP or the FILE path). |
The following options were added to Certutil:
Syntax | Description | Example |
---|---|---|
CertUtil [Options] -syncWithWU DestinationDir | Sync with Windows Update.
|
CertUtil -syncWithWU \\server1\PKI\CTLs |
CertUtil [Options] -generateSSTFromWU SSTFile | Generate SST by using the automatic update mechanism.
SSTFile: .sst file to be created. The generated .sst file contains the non_Microsoft root certificates that were downloaded by using the automatic update mechanism. |
CertUtil –generateSSTFromWU TRoots.sst |
Tip |
---|
|
You may encounter the following errors and warnings when running the Certutil -syncWithWU
command:
If you use a non-existent local path or folder as the destination folder, you will see the error:
The system cannot find the file specified. 0x80070002 (WIN32: 2 ERROR_FILE_NOT_FOUND)
If you use a non-existent or unavailable network location as the destination folder, you will see the error:
The network name cannot be found. 0x80070043 (WIN32: 67 ERROR_BAD_NET_NAME)
If your server cannot connect over TCP port 80 to Microsoft Automatic Update servers, you will receive the following error:
A connection with the server could not be established 0x80072efd (INet: 12029 ERROR_INTERNET_CANNOT_CONNECT)
If your server is unable to reach the Microsoft Automatic Update servers with the DNS name ctldl.windowsupdate.com, you will receive the following error:
The server name or address could not be resolved 0x80072ee7 (INet: 12007 ERROR_INTERNET_NAME_NOT_RESOLVED).
If you do not use the -f switch, and any of the CTL files already exist in the directory, you will receive a file exists error:
CertUtil: -syncWithWU command FAILED: 0x800700b7 (WIN32/HTTP: 183 ERROR_ALREADY_EXISTS) Certutil: Cannot create a file when that file already exists.
If there is a change in the trusted root certificates, you will see: "Warning! Encountered the following no longer trusted roots: <folder path>\<thumbprint>.crt. Use "-f -f" options to force the delete of the above ".crt" files. Was "authrootstl.cab" updated? If yes, consider deferring the delete until all clients have been updated."
Configure Trusted Roots and Disallowed Certificates的更多相关文章
- ssh超时时间设置(设置ClientAliveInterval),附SSH超详细参数
作者: daodaoliang 版本: V 0.0.1 日期: 2016年12月29日 0x00 OpenSSH 简介 OpenSSH是采用SSH协议实现的重要的远程连接工具,它对所有的数据进行加密以 ...
- how to use fiddler and wireshark to decrypt ssl
原文地址: http://security14.blogspot.jp/2010/07/how-to-use-fiddler-and-wireshark-to.html Requirements2 C ...
- 为WIN8 APP创建置顶desktop应用
Windows 8: TopMost window I am working on my next ambitious project “MouseTouch” which is multi to ...
- Active MQ 传输 ObjectMessage 异常
<bean id="targetConnectionFactory" class="org.apache.activemq.ActiveMQConnectionFa ...
- OAuth 2.0 Threat Model and Security Considerations (rfc6819)
Authorization server The following data elements are stored or accessible on the authorization serve ...
- 配置SharePoint使用ADFS
1. 如果网站应用程序没有使用声明式验证 $wpp = Get-SPWebApplication <URL> $wpp.UseClaimsAuthentication = 1 $wpp.U ...
- kerberos环境storm配置:Running Apache Storm Securely
Running Apache Storm Securely Apache Storm offers a range of configuration options when trying to se ...
- How To Setup a CA
How To Setup a CA Original Version by Ian AldermanUpdated by Zach Miller Introduction You can set up ...
- [转] An Introduction to Mutual SSL Authentication
1. Introduction Mutual SSL authentication or certificate based mutual authentication refers to two p ...
随机推荐
- CF438 The Child and Sequence
题意: 给定一个长度为n的非负整数序列a,你需要支持以下操作:1)给定l,r,输出a[l] + a[l+1] + ... + a[r] 2)给定l,r,x, 将a[l].a[l+1]......a[r ...
- shell中的cat和文件分界符(<<EOF) (转)
原文地址: http://blog.csdn.net/mosesmo1989/article/details/51123257 在shell中,文件分界符(通常写成EOF,你也可以写成FOE或者其他任 ...
- python @classmethod 的使用场合
python @classmethod 的使用场合 官方的说法: classmethod(function)中文说明:classmethod是用来指定一个类的方法为类方法,没有此参数指定的类的方法为实 ...
- 【51Nod 1238】最小公倍数之和 V3
http://www.51nod.com/onlineJudge/questionCode.html#!problemId=1238 设\(A(n)=\sum\limits_{i=1}^n\frac{ ...
- 【最小割】BZOJ2039- [2009国家集训队]employ人员雇佣
[题目大意] 给定n个人,每个人有一个佣金,i和j如果同时被雇佣会产生2*E(i,j)的效益,i和j如果一个被雇佣一个不被雇佣会产生E(i,j)的亏损,求最大收益. [思路] 如果没有亏损,其实非常类 ...
- 安装myeclipse的常见问题
1.破解myeclipse网站: https://jingyan.baidu.com/article/acf728fd49519ff8e410a361.html
- CDOJ 1314 Hash Perfectly FFT
Hash Perfectly 题目连接: http://acm.uestc.edu.cn/#/problem/show/1314 Description In computing, a hash ta ...
- 2015 UESTC 搜索专题D题 基爷的中位数 二分
基爷的中位数 Time Limit: 20 Sec Memory Limit: 256 MB 题目连接 http://acm.uestc.edu.cn/#/contest/show/61 Descr ...
- ida plug-in helloworld
#include <ida.hpp> #include <idp.hpp> #include <loader.hpp> #include <kernwin.h ...
- 采集音频和摄像头视频并实时H264编码及AAC编码[转]
0. 前言 我在前两篇文章中写了DirectShow捕获音视频然后生成avi,再进行264编码的方法.那种方法有一些局限性,不适合实时性质的应用,如:视频会议.视频聊天.视频监控等.本文所使用的技术, ...