Trusted root certificate being automatically removed from store

certificate windows-server-2008-r2 certificate-authority

I have a trusted third party's root certificate. I install this to the 'Trusted Root Certification Authorities' certificate store in Windows Server 2008, but it disappears from the certificate store at unknown times.

What could be causing this?

  • The certificate has not expired
  • It doesn't appear to have been revoked
  • I can't see any relevant event logs around the times of incidents
  • It happens on my dev machine, test environments and production servers
  • The production servers are not on a domain, just a workgroup (hosted in Rackspace)
  • Querying group policy (gpresult /h foo.html) doesn't report that I'm prevented from trusting 3rd party root CA's

I'm using the following code in a c# command line app to install the cert:

X509Certificate2 certificate = new X509Certificate2("trusted-root-cert.cer");
X509Store store = new X509Store(StoreName.AuthRoot, StoreLocation.LocalMachine);

store.Open(OpenFlags.ReadWrite);
store.Add(certificate);
store.Close();

The certificate installation code happens to run every time I release a change to my application. I don't see how this could do any harm but it's worth mentioning.

There might be something wrong about the way I'm installing the certificate. What is the preferred way of installing?


Solution 1:

Doing more thorough digging in the Application event log, this entry occured: 

Log Name:      Application
Source:        Microsoft-Windows-CAPI2
Date:          24/10/2014 12:49:10
Event ID:      4108
Task Category: None
Level:         Information
Keywords:      Classic
User:          N/A
Computer:      [redacted]
Description:
Successful auto delete of third-party root certificate:: Subject [...redacted...]

It turns out that 3rd party root CA's can be deleted by Windows if they are not recognised:

Typically, a certificate is used when you use a secure Web site or when you send and receive secure e-mail. Anyone can issue certificates, but to have transactions that are as secure as possible, certificates must be issued by a trusted certificate authority (CA). Microsoft has included a list in Windows XP and other products of companies and organizations that it considers trusted authorities.

http://toastergremlin.com/?p=144

Related

How to restrict everyone except a certain group in SSH?
Changing open-files-limit in mysql 5.5
What constitutes "idle" CPU during T2 CPU credit calculation?
Using non-certified hard drives in Dell MD3220 storage array
Setting Out of Office message for someone else
VMware vCenter/ESXi with FreeIPA instead of Active Directory?
How to log the URL scheme (http / https) in Apache?
How can I have puppet only set password when creating a user?
Apache - Redirect to https before AUTH
Postgresql 9.2 "invalid locale name" on Ubuntu 12.04
has my server been hacked w00tw00t.at.ISC.SANS.DFind
How do I determine what the Windows Installer (msiexec) is doing?