Failed to extract third party root list

Hi:
I applied the latest batch of updates this weekend, and noticed the
following Event 11 in my server event logs:

Failed extract of third-party root list from auto update cab at:
<http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
with error: A required certificate is not within its validity period when
verifying against the current system clock or the timestamp in the signed
file.

Do I need to do anything about this?

Thanks.

"Tone-man 123" <> wrote in message
news:A0AACC31-CD4B-43BE-8906-...

> Hi:
> I applied the latest batch of updates this weekend, and noticed the
> following Event 11 in my server event logs:
>
> Failed extract of third-party root list from auto update cab at:
> <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
> with error: A required certificate is not within its validity period when
> verifying against the current system clock or the timestamp in the signed
> file.
>
> Do I need to do anything about this?

Depends... if there's a bad certificate in the catalog.. we all have an
issue.

However, I had no issues importing it into a Vista SP2 system, so I'm
inclined to work from the premise that there's an issue with the machine(s)
you imported into.

First question would be the obvious one ... from the error message:
> A required certificate is not within its validity period
> when verifying against the current system clock
> or the timestamp in the signed file.

Is the system clock on the affected machine(s) correctly set? (including
Time Zone and DST?)


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

Hi Lawrence:
Thanks for the reply.

Is there a way to know which machine this message is referring to?


"Lawrence Garvin [MVP]" wrote:

> "Tone-man 123" <> wrote in message
> news:A0AACC31-CD4B-43BE-8906-...
>
> > Hi:
> > I applied the latest batch of updates this weekend, and noticed the
> > following Event 11 in my server event logs:
> >
> > Failed extract of third-party root list from auto update cab at:
> > <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
> > with error: A required certificate is not within its validity period when
> > verifying against the current system clock or the timestamp in the signed
> > file.
> >
> > Do I need to do anything about this?
>
> Depends... if there's a bad certificate in the catalog.. we all have an
> issue.
>
> However, I had no issues importing it into a Vista SP2 system, so I'm
> inclined to work from the premise that there's an issue with the machine(s)
> you imported into.
>
> First question would be the obvious one ... from the error message:
> > A required certificate is not within its validity period
> > when verifying against the current system clock
> > or the timestamp in the signed file.
>
> Is the system clock on the affected machine(s) correctly set? (including
> Time Zone and DST?)
>
>
> --
> Lawrence Garvin, M.S., MCITP:EA, MCDBA
> Principal/CTO, Onsite Technology Solutions, Houston, Texas
> Microsoft MVP - Software Distribution (2005-2009)
>
> MS WSUS Website: http://www.microsoft.com/wsus
> My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin
>
>

"Tone-man 123" <> wrote in message
news:493E6EE4-2822-4E2D-AF1A-...

>> > I applied the latest batch of updates this weekend, and noticed the
>> > following Event 11 in my server event logs:
>> >
>> > Failed extract of third-party root list from auto update cab at:
>> > <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
>> > with error: A required certificate is not within its validity period
>> > when
>> > verifying against the current system clock or the timestamp in the
>> > signed
>> > file.
>> >
>> > Do I need to do anything about this?

>> First question would be the obvious one ... from the error message:
>> > A required certificate is not within its validity period
>> > when verifying against the current system clock
>> > or the timestamp in the signed file.
>>
>> Is the system clock on the affected machine(s) correctly set? (including
>> Time Zone and DST?)


> Is there a way to know which machine this message is referring to?


Uh... I presume from the machine where you obtained the Server Event log
item.

The error is talking about the LOCAL machine -- the machine where you're
attempting to install the STL.

--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

>
> Uh... I presume from the machine where you obtained the Server Event log
> item.
>
> The error is talking about the LOCAL machine -- the machine where you're
> attempting to install the STL.
>

Oh, OK, thanks.
I thought it might have been WSUS reporting on another computer, since this
is the server WSUS runs on.
All my computers sync time to the DC, which syncs with an internet time
server, so I don't think it's a time issue.

> >> Is the system clock on the affected machine(s) correctly set? (including
> >> Time Zone and DST?)
>

OK, I've verified that the system clock is correct. It's exactly the same as
my other DC.

I was able to download the cab file and Extract it on this computer.

I have a very beginner's question. What does this error message mean?
And now that it's extracted, is there anything I should do with the
authroot.stl file?

Thanks,

Tony

"Tone-man 123" <> wrote in message
news:B776142F-F1C5-4108-873B-...

> I have a very beginner's question. What does this error message mean?

>> A required certificate is not within its validity period when verifying
>> against
>> the current system clock or the timestamp in the signed file.

A certificate has a period of time in which it's valid. Common validity
periods are 1 year, 2 years, 5 years, or 10 years from the date of creation.

What this message is saying is that there's a certificate in the package
which has a validity period that is inconsistent with the current system
time or inconsistent with the signed file package timestamp.

This could happen if the package was assembled with an incorrect
certificate, or
it could happen if hte package filestamp was changed in the course of
copying or moving the file from one place to another, or
it could happen if the system date was incorrect on the machine used to
create the package,
or it can happen if the system time where the package is opened/certificate
is imported, is outside the range of validity.

The latter is the most likely cause, since the first three would result in
massive catastrophic failures of the CTL to import, and we'd already know
about it by now, and a new CTL would have been issued.

> I was able to download the cab file and Extract it on this computer.
> And now that it's extracted, is there anything I should do with the
> authroot.stl file?

Right click and select "Install CTL".
This will open the Certificate Import Wizard and allow you to import this
Certificate Trust List.
Click on Next; select "Automatically select the certificate store..."; click
on Next; click on Finish.

If this CTL, or a newer CTL, has previously been imported, you'll get a
dialog box asking if you want to replace the current CTL with this CTL.
Unless you're absolutely sure that this is the current CTL, or you suspect
the active CTL may be corrupted or incomplete, you should choose to NOT
replace the current CTL.

Otherwise, the CTL will be imported, and you'll get a dialog reporting that
the import was successful.

If you need to import the CTL on other systems, put it on a file share, or
copy it to the other system(s), and repeat the same process.




--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin

> Right click and select "Install CTL".
..
..
..
> Otherwise, the CTL will be imported, and you'll get a dialog reporting that
> the import was successful.
>

Hi Lawrence:
Thanks for your reply.
I did the above, and got the "Import Successful" message.
Yay!

Just so I completely understand, what is this certificate for? It happened
when I released updates from WSUS, so I assume it's a digital signature that
verifies the validity of an update?

Thanks,

Tony

"Tone-man 123" <> wrote in message
news:F5ED1055-3C49-4548-B894-...

> Just so I completely understand, what is this certificate for?

It's not a "certificate" per se, it's the Certificate Trust List -- the list
of trusted root certificates that allows the entire infrastructure of the
certificate system to work amongst all systems.

> It happened when I released updates from WSUS,

If you approved KB931125, and this is a Windows XP system, then it's from
the Update for Root Certificates update.

If it's not a Windows XP system, then the activity is purely coincidental.
You indicated that the entry was in your "server event logs", which suggests
to me this update was being installed on a server system. If that's the
case, then it came from the Windows Component feature "Update Root
Certificates" which can be found in Add/Remove Programs. This Windows
Component is independent of WSUS, and is responsible for maintaining the
cert store.

You can learn more from this Technet article:
http://technet.microsoft.com/en-us/l.../bb457160.aspx


--
Lawrence Garvin, M.S., MCITP:EA, MCDBA
Principal/CTO, Onsite Technology Solutions, Houston, Texas
Microsoft MVP - Software Distribution (2005-2009)

MS WSUS Website: http://www.microsoft.com/wsus
My MVP Profile: http://mvp.support.microsoft.com/pro...awrence.Garvin