FYI: Windows Server 2022 does not have Root certificate

At the time I'm writing this, Microsoft Windows Server 2022 has not been released and is only available in "Preview". Having said that I've installed the "Preview" and experienced errors when connecting to resources that use my LE certificate. Found the relevant certificate does not reside in the "Trusted Root CA Store" and wanted to bring this to the community's attention.

The following output shows the certs currently in the root store as well as the PowerShell & OS version.

PS C:\> gci Cert:\LocalMachine\Root

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\Root

Thumbprint                                Subject
----------                                -------
CDD4EEAE6000AC7F40C3802C171E30148030C072  CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com
BE36A4562FB2EE05DBB3D32323ADF445084ED656  CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, S=Western Cape, C=ZA
A43489159A520F0D93D032CCAF37E7FE20A8B419  CN=Microsoft Root Authority, OU=Microsoft Corporation, OU=Copyright (c) 1997 Microsoft Corp.
92B46C76E13054E104F230517E6E504D43AB10B5  CN=Symantec Enterprise Mobile Root for Microsoft, O=Symantec Corporation, C=US
8F43288AD272F3103B6FB1428485EA3014C0BCFE  CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
7F88CD7223F3C813818C994614A89C99FA3B5247  CN=Microsoft Authenticode(tm) Root Authority, O=MSFT, C=US
3B1EFD3A66EA28B16697394703A72CA340A05BD5  CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
31F9FC8BA3805986B721EA7295C65B3A44534274  CN=Microsoft ECC TS Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
245C97DF7514E7CF2DF8BE72AE957B9E04741E85  OU=Copyright (c) 1997 Microsoft Corp., OU=Microsoft Time Stamping Service Root, OU=Microsoft Corporation, O=Microsoft Trust Network
18F7C1FCC3090203FD5BAA2F861A754976C8DD25  OU="NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.", OU=VeriSign Time Stamping Service Root, OU="VeriSign, Inc.", O=VeriSign Trust Network
06F1AA330B927B753A40E68CDF22E34BCBEF3352  CN=Microsoft ECC Product Root Certificate Authority 2018, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
0119E81BE9A14CD8E22F40AC118C687ECBA3F4D8  CN=Microsoft Time Stamp Root Certificate Authority 2014, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
DF3C24F9BFD666761B268073FE06D1CC8D4F82A4  CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
D4DE20D05E66FC53FE1A50882C78DB2852CAE474  CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
B1BC968BD4F49D622AA89A81F2150152A41D829C  CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436  CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
75E0ABB6138512271C04F85FDDDE38E4B7242EFE  CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2
742C3192E607E424EB4549542BE1BBC53E6174E2  OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43  CN=DigiCert Assured ID Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US

PS C:\> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      5.1.20348.1
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.20348.1
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1


PS C:\> gwmi win32_operatingsystem | fl Caption, Version, BuildNumber

Caption     : Microsoft Windows Server 2022 Datacenter Evaluation
Version     : 10.0.20348
BuildNumber : 20348
1 Like

Can you describe more how you tested connecting to your LE-secured resources? I have a wild guess that you if visited a Let's Encrypt based site in Microsoft Edge the ISRG Root X1 certificate would appear in your root store. Windows does an interesting lazy-loading thing for its trust store.

3 Likes

My web servers (phbits.com) use LE certs. The WS2022 system is fully patched and yet Chrome & Edge returned a warning page:

Your connection isn't private
Attackers might be trying to steal your information from website.domain.com (for example, passwords, messages, or credit cards).

NET::ERR_CERT_AUTHORITY_INVALID

Firefox worked fine since it uses its own certificate store.

After adding the root certificate to the root store, all was fine.

Thanks for the link regarding lazy loading. I think I'd use a different adjective than "interesting". :slight_smile:

Tried opening the referenced link (https://valid-isrgrootx1.letsencrypt.org/) in Chrome & Edge and got the same error mentioned above. Turned off protected mode and got the error again. Lazy-load has yet to kick in. :thinking:

Hmm. That does sounds like something not working right on Microsoft's side of things. ISRG Root X1 is supposed to be trusted by them. I don't know if being in their "beta" or whatever means you can submit "tickets" or "feedback" or the like, but if you can I'd definitely recommend bringing it up with them.

Yes, I kind of meant it in the sense of the "May you live in interesting times" curse. :slight_smile:

1 Like

Posted here:

1 Like

Thanks. I don't know if it'd help whomever looks at it, but if you look at the Microsoft Trusted Root Program's page of their current trusted roots, you can see that ISRG Root X1 is there. (And it looks like ISRG Root X2 is there too!)

1 Like

Thanks for the feedback! Updated the Microsoft thread with your post.

TN-meme

:slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.