Article ID: 931125 - View products that this article applies to.
Notice
The KB 931125 package that was posted to Windows Update and WSUS on December 11, 2012, was intended only for client SKUs. However, the package was also offered for server SKUs. Because some customers reported issues after they installed the package on servers, the KB 931125 updates for server SKUs were expired from Windows Update and WSUS. We recommend that you sync your WSUS server and approve the expiry.

If you already applied the update on a server and are encountering issues, you should use the Fix It solution in the following article in the Microsoft Knowledge Base:
2801679 SSL/TLS communication problems after you install KB 931125
Expand all | Collapse all

On This Page

Introduction

This article contains a download link to a list of the third-party certification authorities (CAs) that are trusted by Microsoft and whose root certificates are distributed through the Microsoft Root Certificate Program. This article contains information about different kinds of Windows update root certificates.

Resolution

The root update package will update the list of root certificates on users' computers to the list that is accepted by Microsoft as part of the Windows Root Certificate Program. The file is updated periodically to add or remove root certificates or CAs from distribution by the program. You can get the root update package through the following methods:

Microsoft Download Center (Windows XP only)

The update is available for download from the Microsoft Download Center: 

Update for Root Certificates for Windows XP [November 2013] (KB931125)

Collapse this imageExpand this image
Important
Important: You may be prompted to pass the Microsoft Genuine Software validation process to download the package.

Microsoft Update Catalog (all Windows versions)

The root update package is made available through the Microsoft Update Catalog. There, users can search for and independently download the update package. You can search for "root certificate update" or the Microsoft Knowledge Base article, "KB931125," and then download the latest root certificate update package. 

http://catalog.update.microsoft.com/v7/site/Search.aspx?q=root%20certificate%20update

The root update package is available for the following supported versions of Windows in both x86 and x64 architectures: 
Collapse this tableExpand this table
ArchitectureTitle
x86Update for Root Certificates for Windows XP [November 2013] (KB931125)
x64Update for Root Certificates for Windows XP x64 Edition [November 2013] (KB931125)
x86Update for Root Certificates for Windows Vista [November 2013] (KB931125) 
x64Update for Root Certificates for Windows Vista for x64-based Systems [November 2013] (KB931125) 
x86Update for Root Certificates for Windows 7 [November 2013] (KB931125)
x64Update for Root Certificates for Windows 7 for x64-based Systems [November 2013] (KB931125)
x86Update for Root Certificates for Windows 8 [November 2013] (KB931125)
x64Update for Root Certificates for Windows 8 for x64-based Systems [November 2013] (KB931125)
x86Update for Root Certificates for Windows 8.1 [November 2013] (KB931125) 
x64Update for Root Certificates for Windows 8.1 for x64-based Systems [November 2013] (KB931125) 
 
Collapse this imageExpand this image
Note
Note: Root update packages are cumulative. Therefore, you only need to install the latest package to receive all root certificates in the program.  

For more information about identifying 32-bit and 64-bit operating systems, click the following article number to view the article in the Microsoft Knowledge Base:
827218 How to determine whether your computer is running a 32-bit version or a 64-bit version of the Windows operating system

Windows Software Update Services (WSUS)

The root update package is also available for download from Windows Server Update Services (WSUS). WSUS enables information technology administrators to deploy the latest Microsoft product updates to computers that are running the Windows operating system. By using WSUS, administrators can fully manage the distribution of updates that are released through Microsoft Update to computers in their network.

For more information, click the following article number to view the article in the Microsoft Knowledge Base:
919772 How to enable the Microsoft Windows Server Update Services (WSUS) server to distribute Windows Updates

More information

Windows Root Certificate Program update information

Root CAs - Microsoft maintains a list of root certificates that are distributed by the Windows Root Certificate Program on the Program website.
To learn more about CAs who are members of the program, go to the following website:
http://go.microsoft.com/fwlink/?LinkID=269988

Root Certificate Program requirements - For a list of all the current general and technical requirements of the Windows Root Certificate Program, go to the following Microsoft TechNet website:
http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-to-the-microsoft-root-certificate-program.aspx

Extended Validation Certificates (EV SSL) - For more information about the support for EV certificates in Internet Explorer 7 and later versions, go to the following website:
http://www.microsoft.com/windows/products/winfamily/ie/ev/default.mspx

How Windows updates root certificates

Microsoft has introduced new root update mechanisms in different versions of Microsoft Windows. These mechanisms have progressively focused on distributing fewer root certificates, but on making distributions as seamless as possible when a root certificate is required and is distributed through the Windows Root Certificate Program. To understand the difference in root update mechanisms, it is most convenient to break Windows versions into two categories:
  • OS versions that support automatic root update of individual root certificates
  • OS versions that rely on an earlier, optional root update package (a package that contains all the currently distributed root certificates)
On Windows client SKUs, Windows Vista and later versions fully support the automatic root update mechanism. Windows XP supports the automatic root update mechanism only partly. (See the "Windows XP” section for more information.) We recommend that versions of Windows earlier than Windows Vista download the optional root update package that contains all currently distributed root certificates.
Windows Vista and Windows 7
Root certificates on Windows Vista and later versions are distributed through the automatic root update mechanism. That is, they are distributed through the root certificate. When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error.

To the user, a successful root update is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically. In addition, for Windows Vista and later versions, client SKUs support weekly pre-fetching from Microsoft Update to check for updated root certificate properties (for example, extended validation (EV), code signing, or server authentication properties [that is, certificate properties that are added to a root certificate]).

For detailed technical information about how Windows updates root certificates in Windows Vista and in later versions, go to the following website:
http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx
Windows XP
Windows XP does not fully support the automatic root update mechanism. When a root certificate is already present on a user’s system, it will not be updated even if the copy of the root certificate available on Microsoft Update has changed. Windows XP also does not support the weekly pre-fetching of certificate properties from Microsoft Update feature, and the only way to install new root certificate properties on Windows XP is by installing the root update package.

We recommend that users who are running Windows XP download and install the root update package to update their root certificates. Root certificates are delivered for Windows XP through Microsoft Update as an optional root update package – an executable that contains every root certificate that is distributed by the Windows Root Certificate Program. Windows XP users can opt to download the package every time that it is updated and presented by Microsoft Update. Or, they can opt to download the root update packages automatically when they are updated. The optional root update package is updated approximately three or four times per year, or every quarter.

For additional technical information about how Windows updates root certificates in Windows XP SP2 and SP3, go to the following website:
http://technet.microsoft.com/en-us/library/bb457160.aspx
Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2
The automatic root update mechanism is enabled on Windows Server 2008 and later versions, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partly. (This is the same as the support on Windows XP.) And because the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.

If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs grows significantly and may become too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base:

933430 Clients cannot make connections if you require client certificates on a website or if you use IAS in Windows Server 2003.

Note These limitations apply only if you have SSL client authentication enabled on Windows Server.
Root update package installation on disconnected environments
We recommend that systems that are running Windows client or server SKUs in disconnected environments (for example, where the automatic root update mechanism does not work because connectivity to Microsoft Update is not available) should install the root update package. The root update package will install on Windows Vista and Windows 7 as a workaround in disconnected environments. However, we do not recommend that systems that have network connectivity to Microsoft Update install the root update package, because the automatic root update mechanism will work for them.

You can use Group Policy to distribute root certificates to a group of servers in a disconnected environment. Instructions on how to install root certificates by using Group Policy are available at the following websites:

Windows Server 2003: http://technet.microsoft.com/en-us/library/cc738131(WS.10).aspx

Windows Server 2008: http://technet.microsoft.com/en-us/library/cc772491.aspx

Windows Vista includes a set of trusted third-party root certificates in the Crypt32.dll resource file so that these certificates can be used as a fallback when connectivity to Windows Update is not available. When auto root update is triggered, it tries to download the trusted third-party root certificate from the network. In an offline environment, network retrieval fails, and CAPI checks the resources in Crypt32.dll for the root certificate. If the root is present, it is used and installed in the root store. Windows 7 has similar behavior.

If auto root update is disabled, no attempt to retrieve the root is made. Therefore, the roots are not installed. Be aware that the resources in Crypt32.dll include only those certificates that were present in the root program at a time before the OS release. Any root certificates that were added later are not present in the resource, and such certificates are available only through the root-update package.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Properties

Article ID: 931125 - Last Review: March 14, 2014 - Revision: 21.0
Applies to
  • Windows Vista Enterprise 64-bit Edition
  • Windows Vista Home Basic 64-bit Edition
  • Windows Vista Home Premium 64-bit Edition
  • Windows Vista Ultimate 64-bit Edition
  • Windows Vista Business
  • Windows Vista Business 64-bit Edition
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Starter
  • Windows Vista Ultimate
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Media Center Edition 2005 Update Rollup 2
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Tablet PC Edition
  • Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
  • Microsoft Windows Server 2003, Enterprise x64 Edition
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Datacenter x64 Edition
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Standard x64 Edition
  • Microsoft Windows Server 2003, Web Edition
  • Windows 7 Enterprise
  • Windows 7 Home Basic
  • Windows 7 Home Premium
  • Windows 7 Professional
  • Windows 7 Starter
  • Windows 7 Ultimate
  • Windows HPC Server 2008 R2
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Enterprise
  • Windows Server 2008 R2 Standard
  • Windows Web Server 2008 R2
  • Windows 8
  • Windows 8 Pro
  • Windows 8 Enterprise
  • Windows Server 2012 Datacenter
  • Windows Server 2012 Essentials
  • Windows Server 2012 Foundation
  • Windows Server 2012 Standard
Keywords: 
kbhowto kbexpertiseinter kbinfo KB931125

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com