Event ID 12 "Successful auto delete of third-party root certificat

[GOODAY]

Hello,

I've been unable to find out why the Update Root Certfiicate component is
auto deleting an auto installed 3rd party root certificate.

Any help with the following closely related questions would be much
appreciated

- In what circumstances does URC automatically delete a 3rd party root
certificate?
- Are such automatic deletions specific to Vista?
- Can such deletions be disabled (without disabling URC?)


For example, a Vista laptop obtains a certificate on the 2nd of July, but
the certificate is automatically deleted on the 3rd of July.

Here's the application event log extract.

Level Information
Date and Time 02/07/2008 13:50:52
Source Microsoft-Windows-CAPI2
Event ID 1
Task Category None
Description Successful auto update of third-party root certificate::
Subject: <CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE>
Sha1
thumbprint: <2F173F7DE99667AFA57AF80AA2D1B12FAC830338>.


Level Information
Date and Time 03/07/2008 15:39:07
Source Microsoft-Windows-CAPI2
Event ID 12
Task Category None
Description Successful auto delete of third-party root certificate::
Subject: <CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE>
Sha1
thumbprint: <2F173F7DE99667AFA57AF80AA2D1B12FAC830338> “

 

[Mark H]

Some clarity is needed:
The first assumption being made is that you are using Vista.
(Event ID 12 is different in the various versions of windows.)

In Vista, Event ID12 is the following...
The device device_name disappeared from the system without first being
prepared for removal.
(A hot detach of a removable device.)

Example: http://support.microsoft.com/kb/945926


Back to 3rd party root certificates auto-deleting...
Are you attempting to program the effect in your application, or disable the
effect on your machine?
CERT_CHAIN_DISABLE_AUTH_ROOT_AUTO_UPDATE
Setting this flag inhibits the auto update of third-party roots from the
Windows Update Web Server.
Note: Unless the comuputer this certifcate is being applied to has Server
updates, this function will not work.

Basics of certificate update operation:
http://www.tech-faq.com/root-certificate-update.shtml
(Disabling of the function may cause other problems.)

Preventing auto-deletion per user requires that _each user_ add the
certificate to the Trusted Root Certificate Authorities repository. If this
is not done, the certificate will auto-delete each time the user logs out of
Internet Explorer.
http://www.thebitguru.com/articles/...Root Certification Authority in Windows Vista

 

[GOODAY]

Hello Mark,

Many thanks for your reply.

As indicated in the original post, the example event log was from Vista and
the event log export is exactly as shown, so event ID 12, when viewing the
application log at least, is a the certificate auto delete.

The questions were

Q - In what circumstances does URC automatically delete a 3rd party root
certificate?

A - If I understand your reply correctly, the certificate will be deleted in
all instances
when a user exits Internet Explorer (please confirm)

Q - Are such automatic deletions specific to Vista?
A- ?

Q - Can such deletions be disabled (without disabling URC?)
A - No, user must add manually to the Trusted Root Certificate Authorities
repository
or else disable the Update Root Certificate Component (please confirm)

Many thanks,

Andrew

 

[Mark H]

See in-line.

Hello Mark,

Many thanks for your reply.

As indicated in the original post, the example event log was from Vista and
the event log export is exactly as shown, so event ID 12, when viewing the
application log at least, is a the certificate auto delete.

I have no doubt that you gave the proper information. Just pointing out the
MS doesn't associate the two.

The questions were

Q - In what circumstances does URC automatically delete a 3rd party root
certificate?

A - If I understand your reply correctly, the certificate will be deleted in
all instances
when a user exits Internet Explorer (please confirm)

This is my understanding, but response differs depending upon UAC and IE 7
Protected mode setup.
Additionally, some server updates to computers allow 3rd party certificates
to survive when the flag discussed is set to false, .NET is
disabled/uninstalled, URC is uninstalled, or the certificate is added to
the Trusted repository by the user (which requires Admin rights.) This
process can be automated within installation files, but not directly from
the web without additional UAC interaction. Automated files would require
manifests designating elevated access.

Q - Are such automatic deletions specific to Vista?
A- I believe this is true, but recent changes to XP / IE7 may include the

same functionality? I'm not sure where the UAC/Protected mode boundary
breaks this function as I have not tested it. It is discussed as being
applicable to XP SP2 in the following presentation:
http://msevents.microsoft.com/CUI/W...lture=en-US&EventID=1032310727&CountryCode=US

Q - Can such deletions be disabled (without disabling URC?)
A - No, user must add manually to the Trusted Root Certificate Authorities
repository
or else disable the Update Root Certificate Component (please

confirm)

Again, my understanding. Note: User addtion to TRCA requires Admin rights
(UAC approval)
MSDN/TechNet has a rather lengthy white-paper on this, but I was unable to
find it again.
Disabling URC is again a UAC level function accomplished either in Group
Policies or by uninstallation. Several Google hits indicate that URC
re-installs itself, meaning a stronger understanding is needed here on how
to permanently disable it.

Since I do not understand the exact situation/need, here are some additional
references:

Advanced Certificate Enrollment and Management:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

Active Directory Certificate Server Enhancements
http://www.microsoft.com/downloads/...31-d832-4ff9-8fb8-0539ba21ab95&displaylang=en

While these point to Windows 2003 Server and XP applicability, they are
strongly crossed over into Vista.

So, in the end, I only half-answered your questions.