Hello, at some point my computer (Windows 7 Enterprise, joined to domain) lost the OIDs of EV certificates. The problem got fixed with custome import of certificates in the local Trusted Root Certification Authorities store. After digging into the problem, it turned out that upon unknown certificate met on the Web Windows does not activate the Root certificate update functionality - no certificate call is made (no events from CAPI2 in the Event viewer) and as a result Microsoft trusted certificates are not added automatically to the system.
My question is - which Group Policy setting to tweak, so that the Root certificate auto-update works?
I have checked the Resultant set of policy snap-in and I see no custom setting for Internet communications settings -> Turn off Automatic Root Certificates Update. In GPEdit it is set to Not configured.
But the local user has active Computer configuration -> Windows Settings -> Public Key Policies domain emposed settings applied.
Which of these might be the porblem? Is it something in Certificate Path Validation Setting? I have readhttp://technet.microsoft.com/en-us/library/cc731638.aspx but it is still not very clear.
In the Certificate path validation I have the following:
- Stores tab - all recommended are checked, except for Root certificate stores whereOnly Enterprise Root CAs.
- Network Retrieval - all options are on
It is worth noting that once added in the Local machine, anu trusted root certificate works just fine.
http://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx was not of much use, too :(