Jump to content

Root Certificates and Revoked Certificates for Windows XP


heinoganda

Recommended Posts

Well I've just manually downloaded authrootstl.cab and extracted the authroot.stl file from it.
Looking at its contents, it dates from 22nd September 2017, so it's nearly a year old, and it contains a lot of long expired certificates!
Why is Windows Update serving such an old version, and is it possible to change it to download the current version, even if it's not intended for XP systems?
Presumably this problem must be happening on genuine POSReady systems?
:dubbio:

Edited by Dave-H
Correction
Link to comment
Share on other sites


@Dave-H

Have you ever tried to create and test the batch file from the following link?

https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/?do=findComment&comment=1152587

Otherwise, a suggestion, if you have the opportunity to create a virtual machine with, for example, VMware Player and a Windows XP sp3 to install, I can gladly provide my update rollup where you can thoroughly test whether this error also occurs (you can then gradually install their usual programs to possibly see from when the error occurs).

Complement:
Because of the outdated authrootstl.cab from 22nd September 2017 look here at times when the file authrootstl.cab should be, this problem has already been discussed in this topic and also there is therefore the current Certificate Updater 1.3 an additional feature (please read info version 1.3.txt).

Incidentally, I have set the IE 8 only TLS 1.2 for encryption.

:)

Edited by heinoganda
Link to comment
Share on other sites

Thanks as always @heinoganda!
I have run your batch file before, and done manual cleaning too, but clearing the certificate caches and deleting the certificates themselves only seems to work for a short time, and then the errors just come back again.
I really don't want to get into effectively creating a new XP system to test whether this occurs again with that, it's a lot of trouble with no guarantee that it would reveal the source of the problem. It's happening on two completely independent XP installations on two machines, which would seem to indicate to me that it's pretty ubiquitous, even if not everyone seems to be seeing the errors.
Fundamentally, it looks as if Windows Update is serving an out of date file to the system, which is throwing error messages because there are a lot of expired certificates in it.
Deleting the expired certificates will not do any good of course, as they will just be downloaded again!
Presumably there is an up to date version of the file being served to later versions of Windows, but I don't know what address it's coming from.
If it was possible to find that out, it might be possible to change the Windows Update download address so XP and POSReady systems get the current version.
:dubbio:

 

Link to comment
Share on other sites

On 9/15/2018 at 2:43 PM, Dave-H said:

Image2.jpg

@Dave-H
Since you seem to be getting Event 11 errors for crypt32, maybe you have the automatic Update Root Certificates component still active in your XP installation? It would seem quite odd for you to be getting lots of errors about not being able to extract certificates from a WU cab unless something was trying to update them. Given that you're updating manually (or via @heinoganda 's tool) anyway, you should probably turn it off even if that won't resolve the errors issue.

  1. In Control Panel, run Add or Remove Programs.
  2. Click Add/Remove Windows Components in the left-hand column.
  3. Scroll all the way down to Update Root Certificates, clear the check box, click Next, and then complete the Windows Components Wizard.

Pardon me if this is old news to you. I tried checking back in this thread to see if this component was mentioned in connection with your problem and didn't find anything.

Edited by mixit
Link to comment
Share on other sites

Thanks, yes I was aware of the option to disable the function, although it probably hadn't been specifically mentioned in the thread.
I was hoping to fix the problem though of course, rather than just working around it by disabling the function!
If it proves to be a function that fundamentally no longer works on XP, I will switch it off of course, but I haven't quite yet given up on finding a fix!
:)

Link to comment
Share on other sites

17 hours ago, Dave-H said:

Thanks as always @heinoganda!
I have run your batch file before, and done manual cleaning too, but clearing the certificate caches and deleting the certificates themselves only seems to work for a short time, and then the errors just come back again.
I really don't want to get into effectively creating a new XP system to test whether this occurs again with that, it's a lot of trouble with no guarantee that it would reveal the source of the problem. It's happening on two completely independent XP installations on two machines, which would seem to indicate to me that it's pretty ubiquitous, even if not everyone seems to be seeing the errors.
Fundamentally, it looks as if Windows Update is serving an out of date file to the system, which is throwing error messages because there are a lot of expired certificates in it.
Deleting the expired certificates will not do any good of course, as they will just be downloaded again!
Presumably there is an up to date version of the file being served to later versions of Windows, but I don't know what address it's coming from.
If it was possible to find that out, it might be possible to change the Windows Update download address so XP and POSReady systems get the current version.
:dubbio:

 

Dave-H, I just want you to know that you are not the only person with this issue....this has popped up on my system following the last round of updates.  I have been following this thread to see what adjustments I should make to correct it.  The suggestion just made by @mixit sounds like a good option to try and I have just turned off update certificates.   Hopefully that will rectifiy the problem since I am using @heinoganda 's certificate updater v 1.3.........  

screen shot.JPG

Link to comment
Share on other sites

1 hour ago, Dave-H said:

Thanks, yes I was aware of the option to disable the function, although it probably hadn't been specifically mentioned in the thread.
I was hoping to fix the problem though of course, rather than just working around it by disabling the function!
If it proves to be a function that fundamentally no longer works on XP, I will switch it off of course, but I haven't quite yet given up on finding a fix!
:)

I guess I'm not sure why you think you still need this active if you're doing your updates separately anyway? You're already "working around" this functionality as is.

I think it was you who pointed out earlier in the thread that the current authroot.stl dates from 2017/9/22. Viewing its signature shows that the Microsoft Certificate Trust List Publisher certificate it's signed by was valid from 2017/1/25 to 2018/4/13. I'd venture a guess that this is when your errors started (can't tell by this thread as MSFN forum issues seem to have wiped out some of the posts). Until Microsoft updates this list, I believe you're always going to have the problem with the Event 11 certificate validity errors against your system clock:

On 8/11/2018 at 3:18 AM, Dave-H said:

Image1.thumb.jpg.2bb89e62f2cab76e92dce0dbf5ad168a.jpg

 

 

Edited by mixit
Link to comment
Share on other sites

Bizarrely, when I download authrootstl.cab now, its contents are dated 21st August 2018, which I don't understand at all!
Still doesn't work though.
:wacko:
Well if, as you say, the automatic crypt32 updates do exactly the same thing as @heinoganda's manual updater does, there is no point in using both.
I guess as you say that what MS is serving through the automatic system is now just very out of date, and therefore throwing errors.
Strange though that the automatic update system is still trying to do updates when the manual updater has been run, so the latest certificates should already be there!
Were it not that this is presumably happening on "genuine" POSReady systems as well as hacked XP systems, I would say that it was something that won't be fixed, but if it's happening on supported system, it should be fixed!
Mind you, look at how long it took them to fix the forever scanning Windows Update issue..........
:lol:

Edited by Dave-H
Link to comment
Share on other sites

@Dave-H
I'm still getting the 2017 version here. MS caches seem to be a crapshoot in terms of getting the latest certificate updates (for example I'm also still not getting the latest update @heinoganda notified us about). Not the first time this has happened, either. I wouldn't even be surprised if the version you downloaded manually just now was different than the one WU gets when it tries.

I don't know about "exactly", but functionally, yes, for our purposes they should be the same. The automatic updater wouldn't know about your manual updates as the mechanism it uses is different (.sst vs .stl), and thus also its versioning. I don't think there's any checking being done against individual certificates being present or not.

Edited by mixit
Link to comment
Share on other sites

Thanks, so I guess switching off the automatic updating system and just using the manual updater when prompted (or on a regular schedule) is the answer.
I'm actually quite relieved that this does not seem to be a problem just on my systems, and is actually yet another problem caused by Microsoft's flaky updates!
Actually I've always been surprised that we're getting the automatic updates at all, but I assume this is for the benefit of "real" POSReady systems, which are still supported.
If enough people with them complain about the endlessly logged errors, perhaps it will get fixed, but I'm not holding my breath!
:lol:
 

Edited by Dave-H
Typo
Link to comment
Share on other sites

@Dave-H You can tell them if something it's wrong: as long as it's just a feedback, MS support doesn't check the licence. I do it all the time pretending to be on POSReady. As to this one, I'm gonna report it as well as it's happening on my machine as well.

 

crypt.JPG

 

Anyway, I just disabled the Update Root Certificates from the Windows Components Wizard, as @mixit suggested.

Hopefully, this is gonna solve the problem, as I already update my certificates once a month using the Cert_Updater_v1.3.exe

Edited by FranceBB
Link to comment
Share on other sites

I can confirm certificate problem on a freshly installed XP (no Pos Ready converted, not yet :)).

Deleting folder WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content and removing key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates can`t just resolve the problem cause, as said, the official .cab http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab is outdated (21 August 2018 deadline) getting in a silly scenario where also microsoft site is untrusted.

This behaviour happens only if you use chrome & IE8 (maybe they are high related) while with FF there`s no evidence of that problem.

Edited by Vistaboy
Link to comment
Share on other sites

2 hours ago, Vistaboy said:

This behaviour happens only if you use chrome & IE8 (maybe they are high related) while with FF there`s no evidence of that problem.

... Mozilla Firefox (and forks) uses its own certificate store, while IE and Google Chrome use the OS supplied one... ;)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...