Windows Automatic Root Update updates a user’s Trusted Root Certification Authority store with Microsoft’s latest approved list of CA certificates.
In rare cases, end users may have the Windows Component named the Automatic Root Update disabled on their local machine. In these cases, the end user will have the legacy QuoVadis Root Certification Authority on their machine but not the other newer QuoVadis roots (even though they have been approved by Microsoft). This may cause problems in their use of QuoVadis SSL.
These end users will likely also encounter similar problems with SSL issued by other CAs.
To accommodate this scenario, QuoVadis provides for installation on your server a Cross Certificate that links QuoVadis Root CA 2 to the legacy QuoVadis Root Certification Authority. This allows the following end users to make https connections without errors:
Why can’t I just delete the QuoVadis Root CA 2 off of the server?
- End users who have the QuoVadis Root Certification Authority certificate installed but have Automatic Root Updates turned off; and
- End users who have the QuoVadis Root CA 2 certificate installed.
Most Windows Servers have Automatic Root Update turned on by default. If you were to simply delete the QuoVadis Root CA 2 certificate out of the root store while the Cross Certificate is installed, the server would later automatically attempt to reinstall QuoVadis Root CA 2 and ignore the Cross Certificate.
While you could turn off Automatic Root Updates on older version Windows servers, this is not recommended as your server would not receive important updates from Microsoft.
The solution is to retain QuoVadis Root CA 2 on your server but to disable it. This serves two purposes:
- The server will instead rely on the Cross Certificate, allowing end users to chain up to the legacy QuoVadis Root Certification Authority; and
- Automatic Root Update will not attempt to reinstall QuoVadis Root CA 2, breaking the Cross Certificate.
The following steps describe how to disable QuoVadis Root CA 2.
Part I – Open MMC
First you must open the Microsoft Management Console.
Part II – Disable QuoVadis Root CA 2
- Click on Start and then Run.
- In the Run window, type MMC in the Open: field and click on the OK button.
The Console1 window will appear.
- Click on File at the top and then select Add/Remove Snap-in... Alternatively, you can press Ctrl + M.
- In the new window, click on the Add... button at the bottom. This will open a third window.
- Scroll down in the Add Standalone Snap-in window and find the Certificates component. Once found, highlight it and click on the Add button at the bottom. Alternatively, you can double-click on Certificates.
In a new window, you will be given 3 options for which account you want the certificates snap-in to manage.
- Select the Computer account radio button and click on the Next button.
- At the next screen, click on the Finish button.
- Back in the Add Standalone Snap-in window, click on the Close button.
- Click on the OK button in the Add/Remove Snap-in window.
You should be back in the Console1 window. You will see that Certificates (Local Computer) has been added on the left hand pane.
Part III – Check for the Cross Certificate
- Click on the "+" sign next to Certificates (Local Computer) to expand it (if it isn't already expanded).
- Locate and expand the Trusted Root Certification Authorities store and the click on the Certificates folder underneath it.
In the right hand pane, you should see a list of certificates. Click on any certificate that you see and press the letter "Q" on your keyboard to fast-track to the QuoVadis root certificates. Verify that you have the QuoVadis Root CA 2 certificate in this list of certificates in the right hand pane.
Note: Ensure that the expiration date of the QuoVadis Root CA 2 is 2031.
- Right-click on the QuoVadis Root CA 2 and click on Properties from the drop down menu.
- In the Certificate purposes section, select the Disable all purposes for this certificate radio button.
- Click on the Apply button and then click on the OK button.
- Click on the "+" sign next to Certificates (Local Computer) to expand it.
- Locate and expand the Intermediate Certification Authorities store and then click on the Certificates folder underneath it.
In the right hand pane, you should see a list of certificates. Verify that you have the QuoVadis Root CA 2 certificate in this list of certificate in the right hand pane. If you find that you have a QuoVadis Root CA 2 certificate, please make sure that the expiry date of this certificate is 2017 and not 2031. If you do have this certificate in the Intermediate Certification Authorities store, then you have completed this guide. If you do not, then the next steps will guide you through the process of installing these files.
- Place the certificate into a directory where they can be accessed by the server.
- Right-click on the Certificates folder underneath the Intermediate Certification Authorities folder and in the drop-down menu, select All Tasks and then click Import.
- The Certificate Import Wizard will appear. At the welcome screen, click on the Next button.
- You must specify the file to import. Click on the Browse... button and find and select the QuoVadis Root CA 2 (cross) certificate from the directory in step 3. Once selected, it should appear in the File name: field. Click on the Next button.
- On the next screen, the option for Place all certificates in the following store should be selected by default and in the Certificate store: field should be Intermediate Certification Authorities. Click on the Next button.
- At the summary screen, click on the Finish button.
- You should get a message that reads, The import was successful.