A fix is now available for Root Certificate Update issue on Windows Server–Microsoft updated its KB 931125, a package that was intended “only for client operating systems” to patch the Windows Servers and rolled out through WSUS and Windows Update.
“This package is designed to update the store of trusted root certificates, and adds a large number of certificates to the store. Windows Vista and later automatically update their own stores, but Windows XP requires regular updates,” Christa Anderson wrote on Windows Server blog.
Explaining the issue she notes, that the
“SChannel security package used to send trusted certificates to clients has a limit of 16KB. Therefore, having too many certificates in the store can prevent TLS servers from sending needed certificate information; they start sending but have to stop when they reach 16KB. If clients don’t have the right certificate information, they cannot use services requiring TLS for authentication. Because the root certificate update package available in KB 931125 manually adds a large number of certificates to the store, applying it to servers results in the store exceeding the 16KB limit and the potential for failed TLS authentication.”
To resolve this issue, she said that they in December last year, they first pulled the package from Windows Update and WSUS, so it’s no longer available to servers. “If you update your WSUS servers, the package will be gone (although it will remain on any servers to which you already deployed it),” she said.
And, to help those who have already installed the update on servers, the company is providing a Fixit solution in KB 2801679. “If you’re experiencing any outages of TLS-dependent services, we recommend to use the Fixit solution in KB 2801679,” she adds.