Updating the Root Certificate Store in Windows Vista and Later

All Windows-based operating systems are preloaded with a root certificate store, the purpose of which is to allow Windows machines to trust reputable, public certificate authorities by default and without user/administrator action. Because certificates expire, are revoked, and new vendors enter the market and begin issuing certificates, a method to update the certificate store is a necessary component of this architecture. In Windows XP, maintenance of the certificate store was accomplished via the standard Windows Update channels. Beginning with Windows Vista and continuing with Windows 7 and 8/8.1, however, Microsoft altered the method with which PCs update their root certificate store.

Rather than obtaining certificate store updates via Windows Update, the operating system, when attempting to access an SSL/TLS encrypted destination (e.g. via an application or web browser) whose certificate is from an untrusted source, will instead attempt to verify the certificate issuer using a publicly available verification URL. If the certificate issuer is trusted by Microsoft, the operating system downloads the issuer’s certificate authority (CA) root certificate and the user is able to proceed. Note that this process occurs in the background and is seamless to the user. By contrast, if the certificate issuer is not trusted by Microsoft, or the machine is unable to access the verification URL, the user will receive an error message stating that the certificate was not issued by a trusted authority, as seen below.

CertError
SecurityAlert
Untrusted certificate authority errors in Internet Explorer (top) and Microsoft Office Outlook (bottom)

Note that these same errors are encountered whether the verification URL is unreachable or the certificate issuer is simply untrusted by Microsoft (as would be the case when internally issued untrusted certificates are used). To confirm if the computer has been unable to reach the verification URL, open the Event Viewer and search for event ID 4101 in the Application log, as seen below.

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Event ID:      4101
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      mycomputer.domain.com
Description:
Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt> with error: This network connection does not exist.

Computers that are able successfully access the verification URL will log event ID 4100 in the Application log:

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Event ID:      4100
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      mycomputer.domain.com
Description:
Successful auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/47BEABC922EAE80E78783462A79F45C254FDE68B.crt>.

Note that in the case in which the machine is unable to access the verification URL, it is quite possible that the URL is simply blocked by a proxy or web filtering solution. This is more common in corporate environments, particularly those in which Internet access is heavily restricted and allowed on a per-exception basis. While this may not pose a problem initially, it will compound over time as certificates are revoked, issuers renew their certificate authority certificates, and new vendors begin issuing certificates. The administrator in such an environment is then left with two options; the first is to simply unblock access to the URL, and the second is to manually maintain and update root certificate stores across the enterprise (typically using Group Policy). The former option is therefore preferred whenever possible as it largely automates the process and is simply a matter of unblocking the ctldl.windowsupdate.com domain on the corporate proxy or web filter.

References:

Microsoft Root Certificate Program (https://technet.microsoft.com/en-us/library/cc751157.aspx)