Root Certificates and Revoked Certificates for Windows XP

[heinoganda]

Update for root certificates:

New:

CN = ISRG Root X1
O = Internet Security Research Group
C = US

Those using heinoganda's Cert_Updater.exe should run it ASAP. Others needing a redistributable rootsupd.exe should follow his instructions for creating their own, or PM at 5eraph for an updated EXE file.

Edited July 31, 2018 by heinoganda

[Dave-H]

15 hours ago, heinoganda said:

Has the added functionality of Cert Updater v1.3 been tested yet? Read in the "Info Version 1.3.txt".

@Dave-H

Have you already tested the problem solution for Event ID 4107 or Event ID 11 with the batch file or Manually?

Our lottery player would like to return his ticket. Oops, what is the "resident supermegaüberhyper-ultraparanoid"? 

I did my netbook a while ago, originally just manually deleting all the files in the CryptnetUrlCache folders.
I did then decide just to try the certutil command to see what else it might do.
I didn't want to install the Admin Pack on that machine, so I just copied the certutil.exe and certadm.dll files from the main machine to \system32 on the netbook.
When I ran the "certutil -urlcache * delete" command, I was surprised to find it appeared to do a lot more, deleting a lot of entries.
They went through pretty fast but they looked like URLs, rather than the files in the CryptnetUrlCache folders, which appear to just have numbers as their names.
All seems to be still working anyway.

Edited August 1, 2018 by Dave-H
Added quotation, as post is on a new page

[heinoganda]

When using certutil.exe, the WinINIT entries are also deleted. Whether that has an impact on the error Event ID 11 I can not verify unfortunately because this error has not occurred with me. The fact is, if the content in the "CryptnetUrlCache" folders is deleted, this content also no longer exists with certutil.exe. Then there is still on the support side of MS even more "CryptnetUrlCache" folder where the contents should be deleted manually. Remember that the specified folder structure refers to more modern Windows variants. You should first have to see if the error after deleting the contents in the "CryptnetUrlCache" folders still exists.

[Monroe]

Well I tried to install uBlock Origin to New Moon 28 and I got this message:

The add-on downloaded from addons.mozilla.org could not be installed because New Moon does not support WebExtensions.

This is the link I was at ...

https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/

Also, I will add, the newer version of Certificates Updater v1.3 does not work for me. A little box opens with this information:

"HTTPDL.exe has encountered a problem and needs to close. We are sorry for the inconvenience."

The CU version 1.2 works just fine so I will continue to use it. I have never added the newer POS Ready updates to WinXP so I don't have any real problems with XP for now with everything being discussed dealing with certutil.exe and certadm.dll.

I just thought I should probably update the Certificate Updater to the latest version 1.3 ... in fact I don't even have certutil.exe and certadm.dll in my WinXP setup. Nothing was found anywhere in a 'search' and I did not add those two items to my XP setup.

I guess all this information and discussion about certutil.exe and certadm.dll is only for people using the POS Ready updates.

...

[heinoganda]

The HTTPDL.exe (WGET) may result in an error message that does not exist because of your processor's specific SSE support. The new version of WGET is needed so that encrypted downloads are possible. Sorry, but what has the certutil.exe and certadm.dll to do with the Certificates Updater v1.3? Maybe some users should first read the previous posts and not overread. Apparently, many users have not yet understood that it was originally about fixing the error Event ID 4107 or Event ID 11. There is a support page of MS, which refers to newer versions of Windows (some users it is omitted that the support of Windows XP since April 2014 is officially terminated, therefore, no Fixit Tool, as well as the described solution refers rather to Windows 7).

Otherwise read from here!
https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/?do=findComment&comment=1152521

 

[Monroe]

Well, I was just confused with all the posts running togther and that they were connected in someway with certutil.exe and certadm.dll and Certificates Updater v1.3.

After I did not find certutil.exe and certadm.dll on my machine after doing a 'search', I wasn't too concerned that any of this applied to me so I didn't check it out very much more.

I have a Pentium M CPU with MMX, SSE and SSE2 support.

I did get some assistance from Yogi at the K-Meleon forum as to why I could not install uBlock Origin to New Moon 28.

He posted this:

Posted by: Yogi
Date: August 01, 2018

Web extensions work only with Firefox Quantum. Keep in mind that web extensions are less powerful than legacy extensions used to be since Mozilla doesn't provide the neccessary APIs anymore. Often legacy extensions are only a bad joke compared to what legacy extensions used to be.

This is the legacy extension of uBlock which works with Firefox 52 and probably with its forks depending on how old the code of those forks is.
https://github.com/gorhill/uBlock/releases/tag/firefox-legacy-1.16.4.4

I don't use that extension so I can't serve you with more informations.
---------------------------------------------------------------------------------------------------------------

However, siria, who also posts here at MSFN made a discovery about using an older version K-Meleon 1.6 with zippyshare ... and it seemed to work OK.

Posted by: siria
Date: August 01, 2018

Hmm.... now I'm confused. Mighty... It's been awhile that I've given up on zippyshare already, and at the time it drove me mad too, but out of curiosity now took another look again. Just googled for some random zippy link on msfn for testing. And am shocked - no Ads in my KM1.6! And only 1 single download link, no others to be found anywhere. This button is BIG and ORANGE though, usually screaming "Download Me! I'm fake!", but looks almost exactly as the screenshot over at MSFN (https://img2.picload.org/image/dlailwwl/certinfo.jpg), except for 3 small empty rectangles with "Advertisement" written over them. And that download link even works with minimal JS, only from inside the page, no external js-files needed, no Ajax, not even cookies or referer!

Have even disabled "adblock.css", but still same result.
Have renamed my HOSTS file and reloaded - still same result.
Have allowed foreign iframes - still same result. Empty little rectangles, no popups or junk anywhere.

But cannot toggle permissions.sqlite during session, and no idea if possible?
Also, keep Popups blocked with a more restrictive whitelist, as once advised by JohnHell:
dom.popup_allowed_events = change click dblclick #mouseup reset #submit #touchend
dom.server-events.enabled = false

And have only tested with minimal javascript for zippy, but for other sites have toolbar buttons for quickly toggling those on again if needed:
javascript.enabled = true
permissions.default.script (INT) = 2 (block all)
permissions.default.xmlhttprequest (INT) = 2 (block all, ajax)
--------------------------------------------------------------------------------------

So I am going to put an older version of KM on my computer to experiment with this ... maybe I can just keep an older version of KM handy for all zippyshare downloads.
...

Edited August 1, 2018 by Monroe

[heinoganda]

Apparently it suits my suspicion that there is a problem with SSE, but because of the possibility of encrypted downloads with WGET I can not go to an older version. Do not have the ability to recompile WGET again so that this synonymous with their processor tolerates. Maybe there are other users to recommend where to get a working version of WGET is the encrypted downloads and works on your processor.

Otherwise, I ask things that have nothing to do with the actual topic of opening a new topic, because this topic is already confusing enough!
 

@glnz

If you have the problem with Event ID 4107 or Event ID 11, create a new text file, copy the code for the batch file (https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/?do=findComment&comment=1152587), paste it into the text file, save it, rename text file in cleanup.bat, and execute. Thereafter, the problem with Event ID 4107 or Event ID 11 should no longer exist.

[Thomas S.]

@heinoganda

I'm scripting a new launcher for httpsproxy with some automated functions.

One is that at a certain interval (1-x days) cacert.pem is downloaded every time the launcher is started.

Also possible would be an automated update of the certificates of Win XP.

But this would require a version of CertUpdater, which goes through without confirmation.

And (better, but no requirement) returns the success by ERRORLEVEL).

Would such a tool be possible? It should not be too complicated, but automatically wouldn't be bad.

BTW I use wget from https://eternallybored.org/misc/wget/ to get cacert.pem from curl.

 

[Thomas S.]

On 7/31/2018 at 10:22 PM, heinoganda said:

Has the added functionality of Cert Updater v1.3 been tested yet?

Yes. It works. (Not looking at all the certs, of course).

But do you think it is a good way?

May be it dosn't matter and is safe, but for me the direct origin way is the best and recommended for such sensitive stuff.

And think about the users that don't understand the way it is working...

 

Edited August 2, 2018 by Thomas S.

[heinoganda]

On 8/1/2018 at 10:57 PM, Thomas S. said:

Also possible would be an automated update of the certificates of Win XP.

But this would require a version of CertUpdater, which goes through without confirmation.

And (better, but no requirement) returns the success by ERRORLEVEL).

It would be no problem to integrate a parameter option with the CertUpdater, if the servers of MS would not offer obsolete sst files from time to time.

Following a current example:

 

Faulty download, compare the date of sst files with my update announcement.

 

In this case, an additional feature has been added to the Cert_Updater v1.3.

 

 

@All

Since there were problems with older processors in the Cert_Updater v1.3, I have replaced WGET with another version. If you also have problems you should download the Cert_Updater again.

Download Cert_Updater

Edited August 3, 2018 by heinoganda

[Dave-H]

Looks like I spoke too soon, the crypt32 ID 11 error events have come back again!
I've done the fix again.

[heinoganda]

7 hours ago, Dave-H said:

Looks like I spoke too soon, the crypt32 ID 11 error events have come back again!

You may also like to try the batch file. Strange, the search for the proverbial needle in a haystack.

Edited August 10, 2018 by heinoganda

[Dave-H]

Well the "fix" didn't work this time!

Back to the same problem as before.
I will try the batch file to see if it produces a better result.

[Dave-H]

Well I now have a nice clean new set of six crypt32 entries in my Application Log this morning, with no errors.
Of course this happened before too, but it didn't last and the errors were soon back.
Fingers crossed for this time!

[Dave-H]

And now it's back to as it was before!

 

So the clearing of the caches is obviously not the answer!
Somewhere there is an expired certificate that is presumably causing this, but I don't seem to have been able to identify it to remove it and/or update it.
It can't be an intrinsic problem with Windows XP, or everyone would be reporting it!
I think what I'm going to have to do is to completely reset the certificates system on my machine and delete them all and start from scratch again.
Has anyone any input on the safest way of doing this?
Thanks, Dave.

Edited September 1, 2018 by Dave-H
Addition