Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Enterprise root CA not re-trusted after manually deleted

121 views
Skip to first unread message

Ondrej Sevecek

unread,
May 26, 2009, 6:21:14 AM5/26/09
to
hello,

when I installed an Enterprise root CA, its certficate has been
automatically installed into all computers' Trusted Root Certification
Authorities.

When I then deleted the certificate manually from a computer's Trusted Root
CAs it never reappeared and the Ent Root CA remained untrusted. Is that an
expected behaviour? I tried to issue GPUPDATE /FORCE and also
CERTUTIL -PULSE but without any effect.

Does it mean that the Enterprise Root CA's cert is installed automatically
only once and never reinstalled if missing?

thank you very much.

ondrej.


Martin Rublik

unread,
May 26, 2009, 7:39:48 AM5/26/09
to
Ondrej Sevecek napisal:

If root CA certificates are distributed using autonenrollment (meaning you have
a standard enterprise CA install, and you don't use group policy for
distributing CA certs) then the certificates are downloaded only once.

Here is a quote from technet
(http://technet.microsoft.com/en-us/library/cc755801(WS.10).aspx)

Autoenrollment automatically downloads root certificates and cross-certificates
from Active Directory whenever a change is detected in the directory or when a
different domain controller is contacted. If a third-party root certificate or
cross-certificate is deleted from the local machine store, autoenrollment will
not download the certificates again until a change occurs in Active Directory or
a new domain controller is contacted.

To manually force a new download, delete the following registry key and all
subordinate keys on all affected machines.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\AutoEnrollment\AEDirectoryCache

So after you delete the specific registry entry try to issue gpupdate /force or
certutil -pulse and you'll get your certs back.


HTH

Martin

--
Replace nospam with google's mail for e-mail communication

Ondrej Sevecek

unread,
May 26, 2009, 10:38:41 AM5/26/09
to
thank you, but what I wanted to know is an authoritative confirmation about
a by-design behavior. it is not relevant whether there is the AEcache or
not, I need to know whether one can be sure that the manually deleted root
certs can automatically return or need a manual repair.

o.

"Martin Rublik" <martin...@nospam.com> wrote in message
news:uuK%23xaf3J...@TK2MSFTNGP02.phx.gbl...

Martin Rublik

unread,
May 27, 2009, 3:22:17 AM5/27/09
to
I'm sorry but I cannot provide you an authoritative answer, however I would like
to share what I think is going on. I would be also quite happy if someone could
correct me if I'm wrong.

As far as I understand, autoenrollment first checks "CN=Public Key
Services,CN=Services,CN=Configuration naming context" container for uSNChanged
attribute of certificationAuthority objects. You can check this using wireshark
or network monitor.

The maximum USN returned by query and object count is stored in registry
(AEMaxUSN, AEObjectCount). These values are stored per DC (DC is identified by
invocationId attribute). If the query has different number of responses
(something got deleted) or uSNChanged is different from AEMaxUSN (new cert is
published) autoenrollment queries AD for CA certs and installs them.

In general if you delete a CA certificate from store the store will not update
automatically (unless you connect to a domain controller that has different
update sequence number than the USN stored in registry, or you publish or delete
CA certs in AD).

Best regards

Martin

--

Ondrej Sevecek

unread,
May 27, 2009, 9:15:31 AM5/27/09
to
yes, looks like that. the AEDirectoryCache is the authoritative local copy
of the AD and the client is not interested in the contents of the cert store
at all.

o.

"Martin Rublik" <martin...@nospam.com> wrote in message

news:u5KRfvp3...@TK2MSFTNGP03.phx.gbl...

0 new messages