10

I have a trusted third party's root certificate. I install this to the 'Trusted Root Certification Authorities' certificate store in Windows Server 2008, but it disappears from the certificate store at unknown times.

What could be causing this?

  • The certificate has not expired
  • It doesn't appear to have been revoked
  • I can't see any relevant event logs around the times of incidents
  • It happens on my dev machine, test environments and production servers
  • The production servers are not on a domain, just a workgroup (hosted in Rackspace)
  • Querying group policy (gpresult /h foo.html) doesn't report that I'm prevented from trusting 3rd party root CA's

I'm using the following code in a c# command line app to install the cert:

X509Certificate2 certificate = new X509Certificate2("trusted-root-cert.cer");
X509Store store = new X509Store(StoreName.AuthRoot, StoreLocation.LocalMachine);

store.Open(OpenFlags.ReadWrite);
store.Add(certificate);
store.Close();

The certificate installation code happens to run every time I release a change to my application. I don't see how this could do any harm but it's worth mentioning.

There might be something wrong about the way I'm installing the certificate. What is the preferred way of installing?

dan
  • 281
  • 1
  • 2
  • 12
  • Do a `gpresult /h foo.html` and see if you have any Group Policies being applied that say something along the lines of "Prevent users from trusting third-party root certification authorities" or something along those lines? – Ryan Ries Oct 23 '14 at 23:06

2 Answers2

10

Doing more thorough digging in the Application event log, this entry occured: 

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          24/10/2014 12:49:10
Event ID:      4108
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      [redacted]
Description:
Successful auto delete of third-party root certificate:: Subject [...redacted...]

It turns out that 3rd party root CA's can be deleted by Windows if they are not recognised:

Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities.

http://toastergremlin.com/?p=144

dan
  • 281
  • 1
  • 2
  • 12
  • So, what is the verdict here? You cannot install an untrusted (by Microsoft) root CA at all? I have the same problem. I issue a development certificate for a local domain (signed by my own CA) and Windows removes it. In the past, I used a different custom cert, again issued by me, but for a different domain, and that was never removed... I wonder what are the criteria that Microsoft uses to remove things... I thought it might have to do with the valid TLDs, but that does not seem to be the case... – user2173353 Sep 04 '20 at 15:02
1

I had the same problem when installing the certificate in AuthRoot.

Once I installed it in Root, everything was fine.

It is interesting to note what each value of the StoreName enum means:

https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.storename?view=netcore-3.1

user2173353
  • 121
  • 6