Failed to extract third party root list

[kusumanabh]

Hi:
I applied the latest batch of updates this weekend, and noticed the following Event 11 in my server event logs:

Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.

Do I need to do anything about this?

Thanks.

[karrma]

Depends... if there's a bad certificate in the catalog.. we all have an issue.

However, I had no issues importing it into a Vista SP2 system, so I'm inclined to work from the premise that there's an issue with the machine(s) you imported into.

First question would be the obvious one ... from the error message:
Is the system clock on the affected machine(s) correctly set? (including Time Zone and DST?)

[elander]

Hi Karrma
Thanks for the reply.

Is there a way to know which machine this message is referring to?

[karrma]

Uh... I presume from the machine where you obtained the Server Event log item.

The error is talking about the LOCAL machine -- the machine where you're attempting to install the STL.

[elander]

Oh, OK, thanks.
I thought it might have been WSUS reporting on another computer, since this is the server WSUS runs on. All my computers sync time to the DC, which syncs with an internet time server, so I don't think it's a time issue.

[elander]

OK, I've verified that the system clock is correct. It's exactly the same as my other DC.

I was able to download the cab file and Extract it on this computer.

I have a very beginner's question. What does this error message mean? And now that it's extracted, is there anything I should do with the authroot.stl file?

Thanks,

[karrma]

A certificate has a period of time in which it's valid. Common validity periods are 1 year, 2 years, 5 years, or 10 years from the date of creation.

What this message is saying is that there's a certificate in the package which has a validity period that is inconsistent with the current system time or inconsistent with the signed file package timestamp.

This could happen if the package was assembled with an incorrect certificate, or it could happen if hte package filestamp was changed in the course of copying or moving the file from one place to another, or
it could happen if the system date was incorrect on the machine used to create the package, or it can happen if the system time where the package is opened/certificate is imported, is outside the range of validity.

The latter is the most likely cause, since the first three would result in massive catastrophic failures of the CTL to import, and we'd already know about it by now, and a new CTL would have been issued.

Right click and select "Install CTL". This will open the Certificate Import Wizard and allow you to import this Certificate Trust List. Click on Next; select "Automatically select the certificate store..."; click on Next; click on Finish.

If this CTL, or a newer CTL, has previously been imported, you'll get a dialog box asking if you want to replace the current CTL with this CTL. Unless you're absolutely sure that this is the current CTL, or you suspect the active CTL may be corrupted or incomplete, you should choose to NOT replace the current CTL.

Otherwise, the CTL will be imported, and you'll get a dialog reporting that the import was successful. If you need to import the CTL on other systems, put it on a file share, or copy it to the other system(s), and repeat the same process.

[elander]

Hello Karrma,

Thanks for your reply.
I did the above, and got the "Import Successful" message. Yay!

Just so I completely understand, what is this certificate for? It happened when I released updates from WSUS, so I assume it's a digital signature that verifies the validity of an update?

Thanks,

[karrma]

It's not a "certificate" per se, it's the Certificate Trust List -- the list of trusted root certificates that allows the entire infrastructure of the certificate system to work amongst all systems.

If you approved KB931125, and this is a Windows XP system, then it's from the Update for Root Certificates update.

If it's not a Windows XP system, then the activity is purely coincidental. You indicated that the entry was in your "server event logs", which suggests to me this update was being installed on a server system. If that's the case, then it came from the Windows Component feature "Update Root Certificates" which can be found in Add/Remove Programs. This Windows Component is independent of WSUS, and is responsible for maintaining the cert store.

You can learn more from this Technet article: http://technet.microsoft.com/en-us/l.../bb457160.aspx