List of trusted authorities - invalid?

Hello,

in the event log of several machines, I noticed entries about failed attempt
to download the lsit of trusted authorities from
http://www.download.windowsupdate.co...uthrootstl.cab .
The problem was in proxy server - I opened the port and it was then
downloaded. But while I was trying it, I actually downloaded the cab,
unpacked it, and looked at the file - certificate trust list "authroot";
when opened, it said that "this certificate trust list is not valid. The
certifiate that signed the list is not valid". Viewing the signature shows:
"The certificate is not valid for the requested usage". Should I worry?

thanks,
Vadim Rapp

Compare and contrast: Trusted root certificates that are required by
Windows Server 2008, by Windows Vista, by Windows Server 2003, by
Windows XP, and by Windows 2000
http://support.microsoft.com/kb/293781

Even if the certs have expired some are still needed for 'backwards
compatibility'. So no, you don't need to worry.

MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
===============


Vadim Rapp wrote:

> Hello,
>
> in the event log of several machines, I noticed entries about failed attempt
> to download the lsit of trusted authorities from
> http://www.download.windowsupdate.co...uthrootstl.cab .
> The problem was in proxy server - I opened the port and it was then
> downloaded. But while I was trying it, I actually downloaded the cab,
> unpacked it, and looked at the file - certificate trust list "authroot";
> when opened, it said that "this certificate trust list is not valid. The
> certifiate that signed the list is not valid". Viewing the signature shows:
> "The certificate is not valid for the requested usage". Should I worry?
>
> thanks,
> Vadim Rapp
>
>

But they did not expire - the error seems to be that the cert is "not good
for requested usage". In which case it probably would be ignored
alltogether.

Depends though on the "requested usage" - I wonder what was it assumed to be
when I just opened to view the certificate.

Vadim

"MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
news:u$V14WqPJHA.4680@TK2MSFTNGP06.phx.gbl...
> Compare and contrast: Trusted root certificates that are required by
> Windows Server 2008, by Windows Vista, by Windows Server 2003, by Windows
> XP, and by Windows 2000
> http://support.microsoft.com/kb/293781
>
> Even if the certs have expired some are still needed for 'backwards
> compatibility'. So no, you don't need to worry.
>
> MowGreen [MVP 2003-2009]
> ===============
> *-343-* FDNY
> Never Forgotten
> ===============
>
>
> Vadim Rapp wrote:
>
>> Hello,
>>
>> in the event log of several machines, I noticed entries about failed
>> attempt to download the lsit of trusted authorities from
>> http://www.download.windowsupdate.co...uthrootstl.cab .
>> The problem was in proxy server - I opened the port and it was then
>> downloaded. But while I was trying it, I actually downloaded the cab,
>> unpacked it, and looked at the file - certificate trust list "authroot";
>> when opened, it said that "this certificate trust list is not valid. The
>> certifiate that signed the list is not valid". Viewing the signature
>> shows: "The certificate is not valid for the requested usage". Should I
>> worry?
>>
>> thanks,
>> Vadim Rapp

I checked the .cab file and one of the certs has expired, Vadim. Perhaps
that's where the invalid message is stemming from.
Can recall going over the trusted certs before on another system but I
can't remember the URL where they were downloaded from.
The MS Download Center should be offering the same .cab of root certs:
http://www.microsoft.com/downloads/d...DisplayLang=en

Ugh. It's an .exe. OK, just extracted it and the certs *appear* to all
be valid. Suggest you do the same or just run the .exe from a network share.

MowGreen [MVP 2003-2009]
===============
*-343-* FDNY
Never Forgotten
===============


Vadim Rapp wrote:

> But they did not expire - the error seems to be that the cert is "not good
> for requested usage". In which case it probably would be ignored
> alltogether.
>
> Depends though on the "requested usage" - I wonder what was it assumed to be
> when I just opened to view the certificate.
>
> Vadim
>
> "MowGreen [MVP]" <mowgreen@nowandzen.com> wrote in message
> news:u$V14WqPJHA.4680@TK2MSFTNGP06.phx.gbl...
>
>>Compare and contrast: Trusted root certificates that are required by
>>Windows Server 2008, by Windows Vista, by Windows Server 2003, by Windows
>>XP, and by Windows 2000
>>http://support.microsoft.com/kb/293781
>>
>>Even if the certs have expired some are still needed for 'backwards
>>compatibility'. So no, you don't need to worry.
>>
>>MowGreen [MVP 2003-2009]
>>===============
>> *-343-* FDNY
>>Never Forgotten
>>===============
>>
>>
>>Vadim Rapp wrote:
>>
>>
>>>Hello,
>>>
>>>in the event log of several machines, I noticed entries about failed
>>>attempt to download the lsit of trusted authorities from
>>>http://www.download.windowsupdate.co...uthrootstl.cab .
>>>The problem was in proxy server - I opened the port and it was then
>>>downloaded. But while I was trying it, I actually downloaded the cab,
>>>unpacked it, and looked at the file - certificate trust list "authroot";
>>>when opened, it said that "this certificate trust list is not valid. The
>>>certifiate that signed the list is not valid". Viewing the signature
>>>shows: "The certificate is not valid for the requested usage". Should I
>>>worry?
>>>
>>>thanks,
>>>Vadim Rapp
>
>
>