This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 30%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Hello Forum,
I want to update my root certificates on a Windows Server 2019 isolated environment which has no connection to the web (no proxy connection either).
The current root certificates are provided via virtual directory in IIS on another machine by an automatic mechanism (https://github.com/logikkreise/GettingInTouchwithPS/tree/master/Update-WindowsCertificateStore).
The resulting web page with certificate material can be accessed read-only.
http://webserver/certstore
In order for the Clients to automatically fetch updated root certificates from there, changes in registry are necessary.
New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot' -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot' -name 'DisableRootAutoUpdate' -value '0' -PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot' -name 'EnableDisallowedCertAutoUpdate' -value '1' -PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate' -name 'RootDirUrl' -value 'http://webserver/certstore' -PropertyType 'String'
Unfortunately the synchronization via certutil does not work
certutil -syncWithWU http://webserver/certstore
a timeout occurs. What am I doing wrong here?
Thanks and best regards
Peter
238082-image.png
Hi Peter,
I think the SyncWU command looks for a file share or a directory instead of a URL, check this article and the steps for similar process to download the certs for isolated env.
==
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
Hello there,
What is the exact error message you are getting when you say synchronization via certutil does not work?
Please check for the following
-Can you run certutil -ping -config "cadnsname\CA logical name" from the isolated environment?
-Who has permission to Request certificates at the CA?
How to troubleshoot Certificate Enrollment in the MMC Certificate Snap-in https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/how-to-troubleshoot-certificate-enrollment-in-the-mmc/ba-p/394973
------------------------------------------------------------------------------------------------------------------------------
--If the reply is helpful, please Upvote and Accept it as an answer–
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 85%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Hello there,
i am a collegue of peter and also on this topic.
To be a little bit more specific:
we did the following part "Configure a file or web server to download the CTL files" from the article below. (we use the webserver variant)
Link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN
the files are being downloaded successfuly from the web to the local server. that works like a charm.
now we want that the isolated (or disconnected) servers receive there CTLs from the webserver mentioned above.
we changed the local policy of a testserver (which is disconnected to the internet but connected to the webserver mentioned above) like peter already mentioned:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate -> 0
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdate -> 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl -> http://webserver/certstore
if we use an IE from the isolated server and browse to http://webserver/certstore we can see the certificates.
but the server does not receive the certificates. neighter with the regkeys above nor with certutil -syncWithWU http://webserver/certstore.
with certutil -syncWithWU http://webserver/certstore we receive the following error:
The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT) -- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
CertUtil: -syncWithWU command FAILED: 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
CertUtil: The operation timed out
thats were we stand right now.
help or hints are welcome.
thanks in advance
Christian
I am having exactly the same issue here as the OP.
Latest Certs and CTL's have been downloaded to a file share successfully on our disconnected network.
Registry has been updated as per Microsoft's doc to change the RootDirURL to this local fileshare.
Group Policy has been amended to change all devices to this.
Clients are not downloading and updating these Certs into the local machine Cert Store using CERTLM.MSC.
Did anybody get a working solution to this?
And to add a little bit to this, I don't think the CERTUTIL command is supposed to work on the disconnected clients as it only seems to be used on the device that has internet access so it can connect to Microsoft and download the new/updated Certs and CTL's.