Share via

Updating Trusted Root Certificates in an Isolated Environment

Peter Klötzer 26 Reputation points
Sep 6, 2022, 7:55 AM

Hello Forum,

I want to update my root certificates on a Windows Server 2019 isolated environment which has no connection to the web (no proxy connection either).

The current root certificates are provided via virtual directory in IIS on another machine by an automatic mechanism (https://github.com/logikkreise/GettingInTouchwithPS/tree/master/Update-WindowsCertificateStore).

The resulting web page with certificate material can be accessed read-only.

http://webserver/certstore

In order for the Clients to automatically fetch updated root certificates from there, changes in registry are necessary.

New-Item 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot' -Force
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot' -name 'DisableRootAutoUpdate' -value '0' -PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot' -name 'EnableDisallowedCertAutoUpdate' -value '1' -PropertyType 'DWORD'
New-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate' -name 'RootDirUrl' -value 'http://webserver/certstore' -PropertyType 'String'

Unfortunately the synchronization via certutil does not work

certutil -syncWithWU http://webserver/certstore

a timeout occurs. What am I doing wrong here?

Reference:
https://support.microsoft.com/en-us/topic/an-update-is-available-that-enables-administrators-to-update-trusted-and-disallowed-ctls-in-disconnected-environments-in-windows-0c51c702-fdcc-f6be-7089-4585fad729d6#bkmk_5

Thanks and best regards
Peter

238082-image.png

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,852 questions
Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,665 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,877 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. JimmySalian-2011 42,196 Reputation points
    Sep 6, 2022, 8:34 AM

    Hi Peter,

    I think the SyncWU command looks for a file share or a directory instead of a URL, check this article and the steps for similar process to download the certs for isolated env.

    dn265983(v=ws.11)

    238131-image.png

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments No comments

  2. Limitless Technology 39,756 Reputation points
    Sep 7, 2022, 7:28 AM

    Hello there,

    What is the exact error message you are getting when you say synchronization via certutil does not work?

    Please check for the following

    -Can you run certutil -ping -config "cadnsname\CA logical name" from the isolated environment?
    -Who has permission to Request certificates at the CA?

    How to troubleshoot Certificate Enrollment in the MMC Certificate Snap-in https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/how-to-troubleshoot-certificate-enrollment-in-the-mmc/ba-p/394973

    ------------------------------------------------------------------------------------------------------------------------------

    --If the reply is helpful, please Upvote and Accept it as an answer–

    0 comments No comments

  3. S-Christian 1 Reputation point
    Sep 9, 2022, 3:09 PM

    Hello there,

    i am a collegue of peter and also on this topic.

    To be a little bit more specific:

    we did the following part "Configure a file or web server to download the CTL files" from the article below. (we use the webserver variant)
    Link: https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)?redirectedfrom=MSDN

    the files are being downloaded successfuly from the web to the local server. that works like a charm.

    now we want that the isolated (or disconnected) servers receive there CTLs from the webserver mentioned above.
    we changed the local policy of a testserver (which is disconnected to the internet but connected to the webserver mentioned above) like peter already mentioned:

    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\DisableRootAutoUpdate -> 0
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\EnableDisallowedCertAutoUpdate -> 1
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate\RootDirUrl -> http://webserver/certstore

    if we use an IE from the isolated server and browse to http://webserver/certstore we can see the certificates.

    but the server does not receive the certificates. neighter with the regkeys above nor with certutil -syncWithWU http://webserver/certstore.

    with certutil -syncWithWU http://webserver/certstore we receive the following error:

    The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT) -- http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    CertUtil: -syncWithWU command FAILED: 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)
    CertUtil: The operation timed out

    thats were we stand right now.
    help or hints are welcome.
    thanks in advance
    Christian

    0 comments No comments

  4. Andy U 1 Reputation point
    Dec 8, 2022, 9:51 AM

    I am having exactly the same issue here as the OP.

    Latest Certs and CTL's have been downloaded to a file share successfully on our disconnected network.

    Registry has been updated as per Microsoft's doc to change the RootDirURL to this local fileshare.
    Group Policy has been amended to change all devices to this.

    Clients are not downloading and updating these Certs into the local machine Cert Store using CERTLM.MSC.

    Did anybody get a working solution to this?

    0 comments No comments

  5. Andy U 1 Reputation point
    Dec 8, 2022, 10:23 AM

    And to add a little bit to this, I don't think the CERTUTIL command is supposed to work on the disconnected clients as it only seems to be used on the device that has internet access so it can connect to Microsoft and download the new/updated Certs and CTL's.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.