Views:

Understanding the Windows Certificate Update Process

Windows has a built-in feature that manages trusted root certificates. This feature automatically downloads and installs updated root certificates from the Microsoft Trusted Root Program when Windows Update is enabled. This ensures that Windows has the most current and trusted root certificates. The process is as follows:

  1. Certificate Store Management
    Windows maintains a certificate store that includes a list of trusted root certificates. These certificates are used to verify the authenticity of software and secure communications.
  2. Update Mechanism
    When a new or updated certificate is published by a Certificate Authority (CA) that is part of the Microsoft Trusted Root Program, Windows Update automatically downloads and installs this certificate. This process helps maintain the integrity and trustworthiness of the system.
  3. Periodic Checks
    Windows periodically checks for updates to the list of trusted root certificates and downloads them as needed. This automatic check ensures that the certificate store is always up to date without requiring manual intervention.

In environments where Windows Update is not used, such as when using WSUS or other update management systems, administrators need to manually manage certificate updates. Here are the steps recommended by Microsoft for updating certificates in such environments:

  1. Identifying Outdated Certificates
    1. Regularly audit the certificate store on your systems to identify certificates that are expired or nearing expiration.
    2. Use tools like certutil to list and review certificates.
  2. Downloading Certificates
    1. Manually download updated root certificates from the Microsoft Update Catalog or directly from the Certificate Authority’s (CA) website. The Microsoft Update Catalog provides a searchable database of updates, including root certificate updates.
    2. Ensure that you download certificates from trusted sources to avoid security risks.
  3. Importing Certificates
    1. Import the downloaded certificates into the appropriate certificate stores on the system. This can be done using the Microsoft Management Console (MMC) with the Certificates snap-in or via command-line tools like certutil.
    2. For MMC:
      1. Open MMC and add the Certificates snap-in.
      2. Navigate to the appropriate store (e.g., Trusted Root Certification Authorities).
      3. Right-click and select "Import" to start the Certificate Import Wizard.
      4. Follow the prompts to select and import the downloaded certificate.
    3. For certutil, use the following command to add a certificate to the trusted root store:

      certutil -addstore root <certificate_file>

  4. Automating Certificate Distribution
    1. In domain environments, use Group Policy to automate the distribution and installation of certificates across multiple systems. This ensures consistency and compliance across the network.
      1. Open the Group Policy Management Console (GPMC).
      2. Create or edit a Group Policy Object (GPO).
      3. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies.
      4. Right-click Trusted Root Certification Authorities and select "Import" to start the Certificate Import Wizard.
      5. Follow the prompts to select and import the downloaded certificate.
    2. Apply the GPO to the relevant Organizational Units (OUs) or groups to ensure that all targeted systems receive the updated certificates.
  5. Regular Maintenance and Monitoring
    1. Establish a routine schedule for checking and updating certificates to ensure they remain current.
    2. Monitor the environment for any certificate-related issues and address them promptly.
    3. Stay informed about updates and changes to root certificates by subscribing to notifications from Microsoft or the relevant CAs.

EasyFix for System Certificates is a tool that inspects the operating system to identify the missing certificates required by Trend Micro Apex One 2019, Trend Micro Apex One SaaS or Trend Micro Vision One Agent. It imports those certificates to the operating system automatically, and the result of certificate inspection and recovery is recorded in a log file.

EasyFix for System Certificates can be executed on any Windows platform supported by the installed product. A product license of any of the following products is required for using this tool.

  • Trend Micro Apex One 2019
  • Trend Micro Apex One SaaS
  • Trend Micro Vision One Agent
  • Trend Micro Cloud One Workload Security Agent

This tool can be deployed via a software distribution platform to massive Windows machines. It can also be executed manually by following these steps:

  1. Download the EasyFix for System Certificates tool.
  2. Extract all files from "EasyFix_for_System_Certificates_v1.0.zip" to a temp folder (e.g. C:\temp).
  3. Go to the temp folder C:\temp and execute EasyFixSysCerts.exe in CMD with administrator privilege.
    • To inspect and import missing certificates for Trend Micro Apex One 2019 and Trend Micro Apex One SaaS:

      EasyFixSysCerts.exe A1

    • To inspect and import missing certificates for Trend Micro Vision One Agent:

      EasyFixSysCerts.exe V1

    • To inspect and import missing certificates for Trend Micro Cloud One Workload Security Agent:

      EasyFixSysCerts.exe C1

  4. A 'Log' subfolder will be created with 2 files:
    • EasyFixofSysCerts.json - a summary of missing and installed certificates
    • SCPeasyfix.log - the log of the EasyFixSysCerts process

    Module state

  5. Search the flowing key words to confirm the execution result:
    • Fixing result is True.
    • Fixing result is False.

Recommended Practices

To ensure that certificates remain up to date, follow Microsoft’s recommended procedures, as outlined in their documentation on managing trusted root certificates, Configure Trusted Roots and Disallowed Certificates.