50 Trusted Root Certificates Installed by Windows Updates

[jcgriff2]

Did anyone else get ~50 Trusted Root Certificates installed via Windows Updates?

I thought it was kb931125 - Windows root certificate program members, but I do not see kb931125 it in my system -

https://www.sysnative.com/jcgriff2/posteditems/wmic_hotfixes_jcgriff2_12-19-2012.html


My Event Viewer SYSTEM logs show a few repeating error entries like these two re: Schannel:

Read More:

Event[931][COLOR="#000000"]:
  Log Name: System
  Source: Schannel
  Date: 2012-12-15T01:36:48.980
  Event ID: [COLOR="#FF0000"]36888[/COLOR]
  Level: Error
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Description: 
The following fatal alert was generated: 40. 
The internal error state is 107.[/COLOR]

[COLOR="#000000"]Event[932]:
  Log Name: System
  Source: Schannel
  Date: 2012-12-15T01:36:48.980
  Event ID: [COLOR="#FF0000"]36874[/COLOR]
  Level: Error
  User: S-1-5-18
  User Name: NT AUTHORITY\SYSTEM
  Description: 
An SSL 3.0 connection request was received from a remote client application, 
but none of the cipher suites supported by the client application are 
supported by the server. The SSL connection request has failed.[/COLOR]

Microsoft Exchange Server forum has A solution, I guess - change a registry key value to turn of Event Viewer logging!

getting Schannel 36874 errors on my CAS/HT servers


The 2 Schannel errors were followed by the installation of these 50 trusted root certs:

[COLOR="#000000"]Each had the prefix:[/COLOR] [COLOR="#000044"][B]Successful auto property update of third-party root certificate:: Subject[/B][/COLOR]
[COLOR="#000000"] 
[LIST=1]
[*]  : <CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK> Sha1 thumbprint: <D6DAA8208D09D2154D24B52FCB346EB258B28A58>.
[*]  : <CN=AffirmTrust Premium, O=AffirmTrust, C=US> Sha1 thumbprint: <D8A6332CE0036FB185F6634F7D6A066526322827>.
[*]  : <CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH> Sha1 thumbprint: <D8C5388AB7301B1B6ED47AE645253A6F9F1A2761>.
[*]  : <E=ance@certification.tn, CN=Agence Nationale de Certification Electronique, OU=Certification & PKI, O=ANCE, C=TN> Sha1 thumbprint: <D904080A4929C838E9F185ECF7A22DEF99342407>.
[*]  : <CN=Equifax Secure eBusiness CA-1, O=Equifax Secure Inc., C=US> Sha1 thumbprint: <DA40188B9189A3EDEEAEDA97FE2F9DF5B7D18A41>.
[*]  : <CN=CA DATEV BT 01, O=DATEV eG, C=DE> Sha1 thumbprint: <DA8B6567EF3F6E1EA26AB146E36CCB5728041846>.
[*]  : <CN=DST Root CA X3, O=Digital Signature Trust Co.> Sha1 thumbprint: <DAC9024F54D8F6DF94935FB1732638CA6AD77C13>.
[*]  : <CN=Buypass Class 3 Root CA, O=Buypass AS-983163327, C=NO> Sha1 thumbprint: <DAFAF7FA6684EC068F1450BDC7C281A5BCA96457>.
[*]  : <CN=GTE CyberTrust Root, OU="GTE CyberTrust Solutions, Inc.", O=GTE Corporation, C=US> Sha1 thumbprint: <DBAC3C7AA4254DA1AA5CAAD68468CB88EEDDEEA8>.
[*]  : <E=acraiz@suscerte.gob.ve, OU=Superintendencia de Servicios de Certificacion Electronica, O=Sistema Nacional de Certificacion Electronica, S=Distrito Capital, L=Caracas, C=VE, CN=Autoridad de Certificacion Raiz del Estado Venezolano> Sha1 thumbprint: <DD83C519D43481FAD4C22C03D702FE9F3B22F517>.
[*]  : <CN=e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi, O=Elektronik Bilgi Guvenligi A.S., C=TR> Sha1 thumbprint: <DDE1D2A901802E1D875E84B3807E4BB1FD994134>.
[*]  : <CN=GeoTrust Global CA, O=GeoTrust Inc., C=US> Sha1 thumbprint: <DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212>.
[*]  : <CN=QuoVadis Root Certification Authority, OU=Root Certification Authority, O=QuoVadis Limited, C=BM> Sha1 thumbprint: <DE3F40BD5093D39B6C60F6DABC076201008976C9>.
[*]  : <CN=Cisco Root CA 2048, O=Cisco Systems> Sha1 thumbprint: <DE990CED99E0431F60EDC3937E7CD5BF0ED9E5FA>.
[*]  : <CN=TWCA Root Certification Authority, OU=Root CA, O=TAIWAN-CA, C=TW> Sha1 thumbprint: <DF646DCB7B0FD3A96AEE88C64E2D676711FF9D5F>.
[*]  : <CN=Hongkong Post Root CA, O=Hongkong Post, C=HK> Sha1 thumbprint: <E0925E18C7765E22DABD9427529DA6AF4E066428>.
[*]  : <E=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, S=Western Cape, C=ZA> Sha1 thumbprint: <E0AB059420725493056062023670F7CD2EFC6666>.
[*]  : <C=ES, O=EDICOM, OU=PKI, CN=ACEDICOM Root> Sha1 thumbprint: <E0B4322EB2F6A568B654538448184A5036874384>.
[*]  : <CN=UTN-USERFirst-Object, OU=http://www.usertrust.com, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US> Sha1 thumbprint: <E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46>.
[*]  : <C=IL, O=ComSign, CN=ComSign CA> Sha1 thumbprint: <E1A45B141A21DA1A79F41A42A961D669CD0634C1>.
[*]  : <CN=NetLock Expressz (Class C) Tanusitvanykiado, OU=Tanusitvanykiadok, O=NetLock Halozatbiztonsagi Kft., L=Budapest, C=HU> Sha1 thumbprint: <E392512F0ACFF505DFF6DE067F7537E165EA574B>.
[*]  : <CN=D-TRUST Qualified Root CA 1 2007:PN, O=D-Trust GmbH, C=DE> Sha1 thumbprint: <E3D73606996CDFEF61FA04C335E98EA96104264A>.
[*]  : <E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 1 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network> Sha1 thumbprint: <E5DF743CB601C49B9843DCAB8CE86A81109FE48E>.
[*]  : <CN=A-Trust-Qual-01, OU=A-Trust-Qual-01, O=A-Trust Ges. für Sicherheitssysteme im elektr. Datenverkehr GmbH, C=AT> Sha1 thumbprint: <E619D25B380B7B13FDA33E8A58CD82D8A88E0515>.
[*]  : <CN=GeoTrust Universal CA, O=GeoTrust Inc., C=US> Sha1 thumbprint: <E621F3354379059A4B68309D8A2F74221587EC79>.
[*]  : <CN=Telekom-Control-Kommission Top 1, O=Telekom-Control-Kommission, C=AT> Sha1 thumbprint: <E70715F6F728365B5190E271DEE4C65EBEEACAF3>.
[*]  : <CN=WellsSecure Public Root Certificate Authority, OU=Wells Fargo Bank NA, O=Wells Fargo WellsSecure, C=US> Sha1 thumbprint: <E7B4F69D61EC9069DB7E90A7401A3CF47D4FE8EE>.
[*]  : <O=CFCA GT CA, C=CN> Sha1 thumbprint: <EABDA240440ABBD694930A01D09764C6C2D77966>.
[*]  : <E=ca@digsigtrust.com, CN=DST (UPS) RootCA, OU=United Parcel Service, O=Digital Signature Trust Co., L=Salt Lake City, S=Utah, C=us> Sha1 thumbprint: <EC0C3716EA9EDFADD35DFBD55608E60A05D3CBF3>.
[*]  : <CN=NetLock Platina (Class Platinum) Fotanúsítvány, OU=Tanúsítványkiadók (Certification Services), O=NetLock Kft., L=Budapest, C=HU> Sha1 thumbprint: <EC93DE083C93D933A986B3D5CDE25ACB2FEECF8E>.
[*]  : <OU=Trustis EVS Root CA, O=Trustis Limited, C=GB> Sha1 thumbprint: <ED8DC8386C4886AEEE079158AAC3BFE658E394B4>.
[*]  : <E=pkiadmin@trustcentre.co.za, CN=SAPO Class 2 Root CA, OU=SAPO Trust Centre, O=South African Post Office Limited, L=Somerset West, S=Western Cape, C=ZA> Sha1 thumbprint: <EDB3CB5FB419A185066267E5791554E1E28B6399>.
[*]  : <CN=Public Notary Root, OU=http://www.chambersign.org, O=AC Camerfirma SA CIF A82743287, C=EU> Sha1 thumbprint: <EE29D6EA98E632C6E527E0906F0280688BDF44DC>.
[*]  : <CN=COMODO Certification Authority, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB> Sha1 thumbprint: <EE869387FFFD8349AB5AD14322588789A457B012>.
[*]  : <CN=Digidentity L3 Root CA - G2, O=Digidentity B.V., C=NL> Sha1 thumbprint: <F138A330A4EA986BEB520BB11035876EFB9D7F1C>.
[*]  : <O=TÜRKTRUST Bilgi Iletisim ve Bilisim Güvenligi Hizmetleri A.S. (c) Aralik 2007, L=Ankara, C=TR, CN=TÜRKTRUST Elektronik Sertifika Hizmet Saglayicisi> Sha1 thumbprint: <F17F6FB631DC99E3A3C87FFE1CF1811088D96033>.
[*]  : <CN=thawte Primary Root CA - G3, OU="(c) 2008 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US> Sha1 thumbprint: <F18B538D1BE903B6A6F056435B171589CAF36BF2>.
[*]  : <CN=Actalis Authentication Root CA, O=Actalis S.p.A./03358520967, L=Milan, C=IT> Sha1 thumbprint: <F373B387065A28848AF2F34ACE192BDDC78E9CAC>.
[*]  : <CN=Class 3TS Primary CA, O=Certplus, C=FR> Sha1 thumbprint: <F44095C238AC73FC4F77BF8F98DF70F8F091BC52>.
[*]  : <O=Government Root Certification Authority, C=TW> Sha1 thumbprint: <F48B11BFDEABBE94542071E641DE6BBE882B40B9>.
[*]  : <CN=CertRSA01, OU=ROOTCA, O=KISA, C=KR> Sha1 thumbprint: <F5C27CF5FFF3029ACF1A1A4BEC7EE1964C77D784>.
[*]  : <CN=AffirmTrust Commercial, O=AffirmTrust, C=US> Sha1 thumbprint: <F9B5B632455F9CBEEC575F80DCE96E2CC7B278B7>.
[*]  : <C=IL, O=ComSign, CN=ComSign Secured CA> Sha1 thumbprint: <F9CD0E2CDA7624C18FBDF0F0ABB645B8F7FED57A>.
[*]  : <CN=Correo Uruguayo - Root CA, OU=SERVICIOS ELECTRONICOS, O=ADMINISTRACION NACIONAL DE CORREOS, C=UY> Sha1 thumbprint: <F9DD19266B2043F1FE4B3DCB0190AFF11F31A69D>.
[*]  : <CN=Certeurope Root CA 2, OU=0002 434202180, O=Certeurope, C=FR> Sha1 thumbprint: <FA0882595F9CA6A11ECCBEAF65C764C0CCC311D0>.
[*]  : <CN=VRK Gov. Root CA, OU=Varmennepalvelut, OU=Certification Authority Services, O=Vaestorekisterikeskus CA, S=Finland, C=FI> Sha1 thumbprint: <FAA7D9FB31B746F200A85E65797613D816E063B5>.
[*]  : <E=scr@registradores.org, STREET=Principe de Vergara 72 28006 Madrid, CN=Certificado de la Clave Principal, OU=Certificado Raiz, OU=Certificado Propio, O=Servicio de Certificacion del Colegio de Registradores (SCR), C=es> Sha1 thumbprint: <FAAA27B8CAF5FDF5CDA98AC3378572E04CE8F2E0>.
[*]  : <OU=certSIGN ROOT CA, O=certSIGN, C=RO> Sha1 thumbprint: <FAB7EE36972662FB2DB02AF6BF03FDE87C4B2F9B>.
[*]  : <CN=D-TRUST Root Class 3 CA 2007, O=D-Trust GmbH, C=DE> Sha1 thumbprint: <FD1ED1E2021B0B9F73E8EB75CE23436BBCC746EB>.
[*]  : <OU=Security Communication EV RootCA1, O="SECOM Trust Systems CO.,LTD.", C=JP> Sha1 thumbprint: <FEB8C432DCF9769ACEAE3DD8908FFD288665647D>.

[/LIST]
[/COLOR]

Some threads suggest they came in to some systems by accident. I am not running Server 2007R2, but am running Windows 7 x64 SP1, the same basic build.

Are these certificates OK or . . .

kb2464556 suggest one method:

Method 1: Remove some trusted root certificates

kb931125 -

Necessary and trusted root certificates
The following certificates are necessary and trusted in Windows 7, in Windows Vista, in Windows Server 2008 R2, and in Windows Server 2008:

Read More:

Expand this table[TABLE="class: table, width: 760"]
[TR]
[TD]Issued to
[/TD]
[TD]Issued by
[/TD]
[TD]Serial number
[/TD]
[TD]Expiration date
[/TD]
[TD]Intended purposes
[/TD]
[TD]Friendly name
[/TD]
[TD]Status
[/TD]
[/TR]
[TR]
[TD]Microsoft Root Authority
[/TD]
[TD]Microsoft Root Authority
[/TD]
[TD]00c1008b3c3c8811d13ef663ecdf40
[/TD]
[TD]12/31/2020
[/TD]
[TD]All
[/TD]
[TD]Microsoft Root Authority
[/TD]
[TD]R
[/TD]
[/TR]
[TR]
[TD]Thawte Timestamping CA
[/TD]
[TD]Thawte Timestamping CA
[/TD]
[TD]00
[/TD]
[TD]12/31/2020
[/TD]
[TD]Time Stamping
[/TD]
[TD]Thawte Timestamping CA
[/TD]
[TD]R
[/TD]
[/TR]
[TR]
[TD]Microsoft Root Certificate Authority
[/TD]
[TD]Microsoft Root Certificate Authority
[/TD]
[TD]79ad16a14aa0a5ad4c7358f407132e65
[/TD]
[TD]5/9/2021
[/TD]
[TD]All
[/TD]
[TD]Microsoft Root Certificate Authority
[/TD]
[TD]R
[/TD][/TR]

[/TABLE]

Is there anything to do here or are they OK?

Any idea why I got them but most others I checked with did not?

Thanks,

John

 

[Corrine]

For some unknown reason, KB 931125 was released as an Optional Update on Windows 7. Root Certificate updates are generally silent updates. Still no answer as to why.

Windows Update shows successful installation of KB 931125 on Windows 7 SP1, 64-bit. Checking Event Viewer, System, I found one SChannel error, also EventID 36888 but a different description:

Log Name: System
Source: Schannel
Date: 12/19/2012 12:47:23 PM
Event ID: 36888
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: EntertainmentNB
Description: The following fatal alert was generated: 10. The internal error state is 10.

Edit Note: Are you sure KB 931125 isn't installed? The date would be December 11 or later depending on when you installed the December security updates.

 

[jcgriff2]

I don't see kb931125 -

Hotfix(s):                 173 Hotfix(s) Installed.
                           [01]: 982861
                           [02]: KB2592687
                           [03]: KB971033
                           [04]: KB917607
                           [05]: KB2506143
                           [06]: KB2305420
                           [07]: KB2393802
                           [08]: KB2425227
                           [09]: KB2446710
                           [10]: KB2475792
                           [11]: KB2476490
                           [12]: KB2478662
                           [13]: KB2479628
                           [14]: KB2479943
                           [15]: KB2484033
                           [16]: KB2485376
                           [17]: KB2487426
                           [18]: KB2488113
                           [19]: KB2491683
                           [20]: KB2492386
                           [21]: KB2497640
                           [22]: KB2503658
                           [23]: KB2503665
                           [24]: KB2505438
                           [25]: KB2506014
                           [26]: KB2506212
                           [27]: KB2506223
                           [28]: KB2506928
                           [29]: KB2507618
                           [30]: KB2507938
                           [31]: KB2508272
                           [32]: KB2508429
                           [33]: KB2509553
                           [34]: KB2510531
                           [35]: KB2511250
                           [36]: KB2511455
                           [37]: KB2515325
                           [38]: KB2518869
                           [39]: KB2522422
                           [40]: KB2524375
                           [41]: KB2525694
                           [42]: KB2529073
                           [43]: KB2530548
                           [44]: KB2532531
                           [45]: KB2533552
                           [46]: KB2533623
                           [47]: KB2534366
                           [48]: KB2536275
                           [49]: KB2536276
                           [50]: KB2539635
                           [51]: KB2541014
                           [52]: KB2544893
                           [53]: KB2545698
                           [54]: KB2547666
                           [55]: KB2552343
                           [56]: KB2555917
                           [57]: KB2556532
                           [58]: KB2559049
                           [59]: KB2560656
                           [60]: KB2562937
                           [61]: KB2563227
                           [62]: KB2563894
                           [63]: KB2564958
                           [64]: KB2567053
                           [65]: KB2567680
                           [66]: KB2570791
                           [67]: KB2570947
                           [68]: KB2572077
                           [69]: KB2574819
                           [70]: KB2579686
                           [71]: KB2584146
                           [72]: KB2585542
                           [73]: KB2586448
                           [74]: KB2588516
                           [75]: KB2603229
                           [76]: KB2604115
                           [77]: KB2607576
                           [78]: KB2607712
                           [79]: KB2616676
                           [80]: KB2617657
                           [81]: KB2618444
                           [82]: KB2618451
                           [83]: KB2619339
                           [84]: KB2620704
                           [85]: KB2620712
                           [86]: KB2621440
                           [87]: KB2631813
                           [88]: KB2633873
                           [89]: KB2633952
                           [90]: KB2639308
                           [91]: KB2639417
                           [92]: KB2640148
                           [93]: KB2641653
                           [94]: KB2641690
                           [95]: KB2644615
                           [96]: KB2645640
                           [97]: KB2647516
                           [98]: KB2647518
                           [99]: KB2647753
                           [100]: KB2653956
                           [101]: KB2654428
                           [102]: KB2655992
                           [103]: KB2656356
                           [104]: KB2656373
                           [105]: KB2656411
                           [106]: KB2658846
                           [107]: KB2659262
                           [108]: KB2660075
                           [109]: KB2660465
                           [110]: KB2660649
                           [111]: KB2661254
                           [112]: KB2665364
                           [113]: KB2667402
                           [114]: KB2675157
                           [115]: KB2676562
                           [116]: KB2677070
                           [117]: KB2679255
                           [118]: KB2685811
                           [119]: KB2685813
                           [120]: KB2685939
                           [121]: KB2686831
                           [122]: KB2688338
                           [123]: KB2690533
                           [124]: KB2691442
                           [125]: KB2695962
                           [126]: KB2698365
                           [127]: KB2699779
                           [128]: KB2699988
                           [129]: KB2705219
                           [130]: KB2709162
                           [131]: KB2709630
                           [132]: KB2709715
                           [133]: KB2709981
                           [134]: KB2712808
                           [135]: KB2718523
                           [136]: KB2718704
                           [137]: KB2719177
                           [138]: KB2719857
                           [139]: KB2719985
                           [140]: KB2722913
                           [141]: KB2724197
                           [142]: KB2727528
                           [143]: KB2729094
                           [144]: KB2729452
                           [145]: KB2731771
                           [146]: KB2731847
                           [147]: KB2732059
                           [148]: KB2732487
                           [149]: KB2732500
                           [150]: KB2735855
                           [151]: KB2736233
                           [152]: KB2739159
                           [153]: KB2741355
                           [154]: KB2743555
                           [155]: KB2744842
                           [156]: KB2749655
                           [157]: KB2750841
                           [158]: KB2753842
                           [159]: KB2756822
                           [160]: KB2758857
                           [161]: KB2761217
                           [162]: KB2761226
                           [163]: KB2761451
                           [164]: KB2761465
                           [165]: KB2762895
                           [166]: KB2763523
                           [167]: KB2770660
                           [168]: KB2779030
                           [169]: KB2779562
                           [170]: KB958488
                           [171]: KB976902
                           [172]: KB976932
                           [173]: KB982018

This is odd.

 

[NoelDP]

I don't think that the Root Certificates Update gets installed via the nomral WU route - so doesn't appear in the Installed Updates listing.
Try using Belarc Advisor-- IIRC, it should show it, and the latest install date.

 

[jcgriff2]

Hmm...

Don't see kb931125 in Belarc, either....

Belarc HTML output EDITED; license area removed.

https://www.sysnative.com/jcgriff2/postedfiles/jcgriff2_HP_Belarc_edited2__12-24-2012.html

 

[NoelDP]

Certificate Support and Resulting Internet Communication in Windows Vista
makes interesting reading (perhaps! - I get lost after the first two lines :) )

Doing a registry search on 931125 brings up the following Keys in Win7 (with a modification date of today)
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

I deleted my Win7 history yesterday for various reasons - but a full update of a Vista x64 machine yields nothing in either Installed Updates, or the Update History.
The only Key found there is
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
with a modification date of today as well.

 

[jcgriff2]

Sorry, Noel - I thought I replied to this days ago; probably never submitted the post.

Regedit was a bust. I used Altap 3.0 beta 1 Registry plug-in

931125 got 4 hits (all binary):

[SIZE=1]HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertEncodedCtl
HKLM\SOFTWARE\Wow6432Node\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\EncodedCtl

HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\DisallowedCertEncodedCtl
HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\EncodedCtl[/SIZE]

This is no big deal to me really, as I need to reinstall Windows 7.

More curiosity than anything at this time.

Thanks,

John

 

[NoelDP]

?? I just got a response notification for a new post??

 

[Corrine]

There was a new post but it was deleted.