VeriSign Universal Root Certification Authority missing
Normally, you shouldn't have to worry about issues like this.
When you are presented with a certificate issued by an untrusted root authority, your computer will contact the Windows Update web site to see if Microsoft has added the CA to its list of trusted authorities. 1
See Microsoft KB 2328240: "Event ID 4107 or Event ID 11 is logged in the Application log in Windows and in Windows Server"
Cause - This error occurs because the Microsoft Certificate Trust List Publisher certificate expired. A copy of the CTL with an expired signing certificate exists in the CryptnetUrlCache folder.
There is a "Fix it for me" download available at that page, or directions for manually fixing the problem.
After applying the update, and rebooting, the next time you visit the site, your computer should automatically download the CA certificate. Restarting the browser, and re-visiting the site should be successful.
1 - This was paraphrased from the description found in Group Policy Editor (gpedit.msc): Administrative Templates/System/Internet Communication settings/Turn off Automatic Root Certificates Update
Related videos on Youtube
11 : 08
02 : 15
03 : 13
02 : 53
01 : 30
05 : 49
Jonathon Reinhart
Professional C, asm, Python developer GitLab, FreeNas admin
Updated on September 18, 2022Comments
-
Jonathon Reinhart over 1 year
I'm attempting to visit
https://www.duluthtrading.com/, and I'm receiving an untrusted certificate error on Windows 7. This happens in both IE and Chrome (as both use the Windows certificate store).Here's the certificate chain:
- VeriSign Universal Root Certification Authority
- Symantec Class 3 Secure Server SHA256 SSL CA (e7 32 73 e5 3a cf e8 0f 41 0b 3e f4 6b 18 02 87 a0 04 40 cd)
- www.duluthtrading.com (6e 70 94 1a e6 39 88 9a 64 fa cb 76 34 af 62 e6 43 83 66 cf)
- Symantec Class 3 Secure Server SHA256 SSL CA (e7 32 73 e5 3a cf e8 0f 41 0b 3e f4 6b 18 02 87 a0 04 40 cd)
The problem is, the Root CA (VeriSign Universal Root Certification Authority) is not trusted on this problematic system. This machine is up-to-date via Windows Update.
I looked on another Windows 7 VM (which was less up-to-date), and the certificate was there, under "Third-Party Root Certification Authorities". This VM had fewer certificates.
Why is this CA certificate missing?
How can I fix this machine?
Update: In the Windows Application log, I'm seeing the following errors:
Event 4101, CAPI2 Failed auto update retrieval of third-party root certificate from: <http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/AFE5D244A8D1194230FF479FE2F897BBCD7A8CB4.crt> with error: 12007 (0x2ee7).-
user1686 over 8 yearsAFAIK, as long as Microsoft accepts a root CA, Win7 and later versions will download it from Windows Update automagically on demand, so the lists may indeed be different between systems...
-
Ramhound over 8 yearsThis on a machine you have complete and total control over? The only reason it would be missing, is if somebody physically removed it, in other words is a personal machine or a machine owned by a business or corporation.
-
Jonathon Reinhart over 8 yearsThis is a personal machine. I have no idea how the cert got removed.
-
Jonathan Cross over 8 yearsI am seeing the same issue (missingVeriSign Universal Root Certification Authority) on a Mac. Firefox works fine (has its own certs?), but Chrome and Safari cannot locate the root cert. Reinstalling Chrome didn't help.
- VeriSign Universal Root Certification Authority
