Enterprise root CA not re-trusted after manually deleted

Discussion in 'Server Security' started by Ondrej Sevecek, May 26, 2009.

  1. hello,

    when I installed an Enterprise root CA, its certficate has been
    automatically installed into all computers' Trusted Root Certification

    When I then deleted the certificate manually from a computer's Trusted Root
    CAs it never reappeared and the Ent Root CA remained untrusted. Is that an
    expected behaviour? I tried to issue GPUPDATE /FORCE and also
    CERTUTIL -PULSE but without any effect.

    Does it mean that the Enterprise Root CA's cert is installed automatically
    only once and never reinstalled if missing?

    thank you very much.

    Ondrej Sevecek, May 26, 2009
    1. Advertisements

  2. Ondrej Sevecek napisal:
    If root CA certificates are distributed using autonenrollment (meaning you have
    a standard enterprise CA install, and you don't use group policy for
    distributing CA certs) then the certificates are downloaded only once.

    Here is a quote from technet

    Autoenrollment automatically downloads root certificates and cross-certificates
    from Active Directory whenever a change is detected in the directory or when a
    different domain controller is contacted. If a third-party root certificate or
    cross-certificate is deleted from the local machine store, autoenrollment will
    not download the certificates again until a change occurs in Active Directory or
    a new domain controller is contacted.

    To manually force a new download, delete the following registry key and all
    subordinate keys on all affected machines.

    So after you delete the specific registry entry try to issue gpupdate /force or
    certutil -pulse and you'll get your certs back.


    Martin Rublik, May 26, 2009
    1. Advertisements

  3. thank you, but what I wanted to know is an authoritative confirmation about
    a by-design behavior. it is not relevant whether there is the AEcache or
    not, I need to know whether one can be sure that the manually deleted root
    certs can automatically return or need a manual repair.

    Ondrej Sevecek, May 26, 2009
  4. I'm sorry but I cannot provide you an authoritative answer, however I would like
    to share what I think is going on. I would be also quite happy if someone could
    correct me if I'm wrong.

    As far as I understand, autoenrollment first checks "CN=Public Key
    Services,CN=Services,CN=Configuration naming context" container for uSNChanged
    attribute of certificationAuthority objects. You can check this using wireshark
    or network monitor.

    The maximum USN returned by query and object count is stored in registry
    (AEMaxUSN, AEObjectCount). These values are stored per DC (DC is identified by
    invocationId attribute). If the query has different number of responses
    (something got deleted) or uSNChanged is different from AEMaxUSN (new cert is
    published) autoenrollment queries AD for CA certs and installs them.

    In general if you delete a CA certificate from store the store will not update
    automatically (unless you connect to a domain controller that has different
    update sequence number than the USN stored in registry, or you publish or delete
    CA certs in AD).

    Best regards

    Martin Rublik, May 27, 2009
  5. yes, looks like that. the AEDirectoryCache is the authoritative local copy
    of the AD and the client is not interested in the contents of the cert store
    at all.

    Ondrej Sevecek, May 27, 2009
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.