Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 


heinoganda

Root Certificates and Revoked Certificates for Windows XP

Recommended Posts

On 2016/10/3 at 9:11 AM, blackwingcat said:

It seems no effection on XP

It should be blocked "WoSign 1999" cert since 2016/9/20

Thanks for finding this out, I was wondering what the heck had actually changed as everything looked the same. Apparently MS expects us to manually move this certificate to Untrusted?...:rolleyes:

Share this post


Link to post
Share on other sites

A registry compare shows that many of the registry entries were changed (342 relevant entries in the keys below), but none were added or removed.  Perhaps MS hasn't addressed WoSign yet.  If not, maybe it will later.

     HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates
     HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates

  • Upvote 1

Share this post


Link to post
Share on other sites

authroots.sst, delroots.sst and updroots.sst were updated by Microsoft on 2016/11/12 and released today in November's scheduled release.

Those using heinoganda's Cert_Updater.exe should run it ASAP. Others needing a redistributable RootsUpd.exe should follow his instructions for creating their own, or PM me for an updated EXE file.

Edited by 5eraph
  • Upvote 4

Share this post


Link to post
Share on other sites

Small info, this morning, the info of 5eraph was just 7 hours old, the European content servers of MS still the old certificates were present. It lasted about 2-3 hours until the current certificates were also available here. Therefore, no one should be surprised if the current certificate updates are not available at the same time, especially if the info is very up-to-date!
(If the Cert_Updater only updates old root certificates, simply run them again at a later time.)
 

@5eraph

Thank's for the info! :thumbup

:)

Edited by heinoganda

Share this post


Link to post
Share on other sites

Heinoganda - I run your cert_updater from time to time on my XP.  The latest cert updates are still November 2016.

But in my incoming emails, I now get certificate warnings from time to time, when I never got them up to a year ago.  For example, I receive promo emails from Natural Area Rugs, from whom I've bought a few small floor rugs over the years, and now a Certificate Warning pops up.  See attachment here.

Similarly for emails from UPS.com that originate in their office in Thailand, which handles shipments for my wife's business.  Those are not promo emails; I frequently respond to their emails, a few times per month.

(FYI - my emails come in on Outlook Express 6, and my many old emails on OE6 are why I want to keep my XP machine running.)

Are we sure the Cert_updater is getting good lists of current certificates?  I'm sure it's working, but is it reaching for the right source data?

Thanks.

Nat Area Rug certificate problem 2-2-17.jpg

Edited by glnz

Share this post


Link to post
Share on other sites

@glnz
If you click View Certificate there, what is the exact error the certificate displays? Based on something I encountered with some other software recently, I may have an idea about why this is happening to you, but since I haven't dealt with this problem in IE/OE context, it's better to have more information first. If it is what I'm guessing, cert updates are not the problem.

Share this post


Link to post
Share on other sites

I too have experienced this exact certificate security alert.  It always appears when I receive e mails with photos of products from a music dealer I buy from in Germany.  Each photo on the e mail, when loading, displays this alert.  If I click yes, the photo is NOT displayed in the e mail and another alert appears for the next photo.....this continues until all the photos are presented.  The e mail is in HTML format and I am using Outlook Express version 6.00.2900

Share this post


Link to post
Share on other sites

@glnz

There are certificates that can manage Windows XP, but older Internet browsers or e-mail clients no longer work with more modern encryption methods. Google Chrome also relied on the Windows XP certificate management, can use more modern encryption methods to access these certificates and work. There are exceptions like ECC certificates, which can not process the certificate management of Windows XP. Since some users have thought about and over an HTTPS proxy, which has its own CA certificate management, all secure connections and accepts again for older programs in an intelligible encryption passes. Otherwise, with your information I can concretely do not reconstruct this problem. Under Properties in the source text of the incorrectly displayed e-mail, I need the links from the external image files (previously, since nothing private is there, just open link in Firefox or Google Chrome), which you give me via PM. Use also for a fast text e-mail outlook express, but generally no access to external links with HTML e-mails (very high security risk!).

:)

Share this post


Link to post
Share on other sites
11 hours ago, glnz said:

Heinoganda - I run your cert_updater from time to time on my XP.  The latest cert updates are still November 2016.

But in my incoming emails, I now get certificate warnings from time to time, when I never got them up to a year ago.  For example, I receive promo emails from Natural Area Rugs, from whom I've bought a few small floor rugs over the years, and now a Certificate Warning pops up.  See attachment here.

Similarly for emails from UPS.com that originate in their office in Thailand, which handles shipments for my wife's business.  Those are not promo emails; I frequently respond to their emails, a few times per month.

(FYI - my emails come in on Outlook Express 6, and my many old emails on OE6 are why I want to keep my XP machine running.)

Are we sure the Cert_updater is getting good lists of current certificates?  I'm sure it's working, but is it reaching for the right source data?

Thanks.

Nat Area Rug certificate problem 2-2-17.jpg

9 hours ago, Dclem said:

I too have experienced this exact certificate security alert.  It always appears when I receive e mails with photos of products from a music dealer I buy from in Germany.  Each photo on the e mail, when loading, displays this alert.  If I click yes, the photo is NOT displayed in the e mail and another alert appears for the next photo.....this continues until all the photos are presented.  The e mail is in HTML format and I am using Outlook Express version 6.00.2900

That error dialog does not look like a root certificate issue to me. If it were, I'd expect the warning flag on the first line, not the third.

To me it looks like a problem with the server configuration. That said, it could be that XP isn't handling new certificate extensions, so it thinks the certificate is invalid for the site even though it actually isn't. Have you downloaded the latest IE 6 updates? (You may need the POSReady '09 hack for this.)

BTW, if at some point you want to upgrade from OE 6, I'd recommend Windows Live Mail. It's much more like OE 6 than the Outlook from MS Office, and it will import all your OE 6 mail and contacts. The 2009 version runs on XP, but you'll need the offline installer.

Share this post


Link to post
Share on other sites

@glnz
On second thought, instead of us spending time with Q&A, you can just try this fix and see if it works; it's not a complicated procedure.

Open up regedit, go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root. If it already has a ProtectedRoots subkey, open it, otherwise create it. Then, in that HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots key, create a new DWORD value named Flags and set its value to 20 (Hexadecimal). I think this worked for my problem even without rebooting, but if it doesn't for you, reboot and try it then.

This sets the CERT_PROT_ROOT_DISABLE_NOT_DEFINED_NAME_CONSTRAINT_FLAG and gets around some new certs using name constraints in a way that works out of the box with the likes of Win7, but not with XP. Now, be aware that I'm not expert enough in this field to be able to tell you with 100% confidence that this change won't potentially open up a way for some fraudulent certs to slip through, but it seems OK to do based on what I've googled. YMMV and all that. I had to make this change to get my renewed smart card certificates to work.

If this doesn't work in your case, the problem may well be about the ECC issue @heinoganda mentioned. I just figured it might be the name contraint issue based on OE telling you that "the name on the security certificate is invalid". Might want to remove the newly created registry key if it doesn't help you.

Edited by mixit
typos
  • Upvote 2

Share this post


Link to post
Share on other sites
14 hours ago, mixit said:

@glnz
On second thought, instead of us spending time with Q&A, you can just try this fix and see if it works; it's not a complicated procedure.

Open up regedit, go to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root. If it already has a ProtectedRoots subkey, open it, otherwise create it. Then, in that HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots key, create a new DWORD value named Flags and set its value to 20 (Hexadecimal). I think this worked for my problem even without rebooting, but if it doesn't for you, reboot and try it then.

This sets the CERT_PROT_ROOT_DISABLE_NOT_DEFINED_NAME_CONSTRAINT_FLAG and gets around some new certs using name constraints in a way that works out of the box with the likes of Win7, but not with XP. Now, be aware that I'm not expert enough in this field to be able to tell you with 100% confidence that this change won't potentially open up a way for some fraudulent certs to slip through, but it seems OK to do based on what I've googled. YMMV and all that. I had to make this change to get my renewed smart card certificates to work.

If this doesn't work in your case, the problem may well be about the ECC issue @heinoganda mentioned. I just figured it might be the name contraint issue based on OE telling you that "the name on the security certificate is invalid". Might want to remove the newly created registry key if it doesn't help you.

Thank you for this information, I'll give it a try.   Sounds reasonable to me.  If it doesn't work, I can always restore the registry with a backup.

Share this post


Link to post
Share on other sites

Well, I would be interested what AV is installed and secondly I need links from the images (if necessary by PM) of the affected e-mails so I can test!

:)

Share this post


Link to post
Share on other sites
On 2/2/2017 at 8:53 AM, glnz said:

Heinoganda - I run your cert_updater from time to time on my XP.  The latest cert updates are still November 2016.

But in my incoming emails, I now get certificate warnings from time to time, when I never got them up to a year ago.  For example, I receive promo emails from Natural Area Rugs, from whom I've bought a few small floor rugs over the years, and now a Certificate Warning pops up.  See attachment here.

Similarly for emails from UPS.com that originate in their office in Thailand, which handles shipments for my wife's business.  Those are not promo emails; I frequently respond to their emails, a few times per month.

(FYI - my emails come in on Outlook Express 6, and my many old emails on OE6 are why I want to keep my XP machine running.)

Are we sure the Cert_updater is getting good lists of current certificates?  I'm sure it's working, but is it reaching for the right source data?

Thanks.

Nat Area Rug certificate problem 2-2-17.jpg

Have you tried going into the Internet Options and disabling any of the certificate selections?

(Note: the below image on my system is set to system defaults, you may have to try selecting/deselecting on your own to see what works)

iecert.jpg

Share this post


Link to post
Share on other sites

While you're there, scroll down a little further and make sure you have TLS 1.0 enabled (and preferably, SSL 2.0 and 3.0 disabled).

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×