Hi to all, we have a certificate problem. A lot of our newly installed Win7 computers get certificate error with the IE8 called something like the certificate can not be verified by a CA and the CA certificate gives the information it is not trustworthy. All computers get there updates by WSUS and we work behind a proxy. My guess is, the computers are not able to update the root certs. This seems to be proven by a notebook, that doesn't have the problem. Is there an easy way to get this problem solved? thanks in advance for any reply because I haven't found anything in the www. Executer

Hi there I have the same problem in a school that is behind a managed firewall whereby all access to the internet is routed through the ISP proxy. Although this is the first windows 7 PC I have set up on this LAN i do not intent it to be the last and I certainly don't want to have to manually update the root certificates on every new PC that gets deployed. I have an open call with the ISP who are asking me for the exact url to unblock and as yet I am unsure as to where to find this. I was under the impression it was as per this article re Vista http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx#BKMK_How but we have tried unblocking the domain www.download.windowsupdate.com . We have created exceptions for both http and https. I don't know how flexible the wildcard options are on the ISP firewall or the level of access that the particular operator has to this. I suspect from the occasional error messages it is a squid proxy. Also this has affected the installation of digitally signed hardware causing a certificate warning at point of install. Do you know if it is a different protocol or even what the url is that us used for the automatic updates of root certificates under windows 7/IE8?I am getting the following errors in event log:Log Name: ApplicationSource: Microsoft-Windows-CAPI2Date: 08/02/2010 09:36:37Event ID: 4110Task Category: NoneLevel: ErrorKeywords: ClassicUser: N/AComputer: STJ-VAIO-01Description:Failed to add certificate to Third-Party Root Certification Authorities store with error: A certificate chain could not be built to a trusted root authority. Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" /> <EventID Qualifiers="0">4110</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2010-02-08T09:36:37.492488400Z" /> <EventRecordID>2507</EventRecordID> <Correlation /> <Execution ProcessID="1576" ThreadID="1952" /> <Channel>Application</Channel> <Computer>STJ-VAIO-01</Computer> <Security /> </System> <EventData> <Data> </Data> <Data>A certificate chain could not be built to a trusted root authority.</Data> </EventData></Event>The second may or may not be relevantLog Name: SystemSource: Microsoft-Windows-DNS-ClientDate: 08/02/2010 09:32:14Event ID: 1014Task Category: NoneLevel: WarningKeywords: User: NETWORK SERVICEComputer: STJ-VAIO-01Description:Name resolution for the name crl.microsoft.com timed out after none of the configured DNS servers responded.Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" /> <EventID>1014</EventID> <Version>0</Version> <Level>3</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x4000000000000000</Keywords> <TimeCreated SystemTime="2010-02-08T09:32:14.634061500Z" /> <EventRecordID>5327</EventRecordID> <Correlation /> <Execution ProcessID="1576" ThreadID="4804" /> <Channel>System</Channel> <Computer>STJ-VAIO-01</Computer> <Security UserID="S-1-5-20" /> </System> <EventData> <Data Name="QueryName">crl.microsoft.com</Data> <Data Name="AddressLength">16</Data> <Data Name="Address">020000350A0C44960000000000000000</Data> </EventData></Event>

This issue was resloved by my ISP when they added a global exception for the domain http://www.download.windowsupdate.com/to their proxy.

Hi Frostyflame, how did you manage that NETWORK SERVICE uses a proxy? We have same problem - I guess due to the fact that the user's proxy setting is not used when NETWORK SERVICE tries to download the certificates. BR, Torsten.

finally MS fixed it: http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-root-certificate-update-failure-march-3-2011.aspx?wa=wsignin1.0