This article applies to:

• WebMarshal
• LevelBlue MailMarshal (SEG)
• LevelBlue ECM/MailMarshal Exchange

Question:

• How do I ensure that required SSL CA root certificates are installed on a Windows server?

Background:

• WebMarshal uses HTTPS to retrieve and inspect HTTPS website content. To verify the status of HTTPS certificates, WebMarshal processing nodes require locally installed copies of any CA (root) certificates used to sign the website certificates.
• All of the named products use HTTPS to access product update websites. To verify the security of the update sites, these products require locally installed copies of the CA (root) certificates for all hosting locations, including Microsoft, DigiCert, and Let's Encrypt.
  • Updates can be requested by the Array Manager and processing nodes.
• In some versions of Windows Server, only a small set of CA (root) certificates is installed by default. The certificates required by these products may not be included.

Procedure:

To ensure that the latest root certificates are installed on a Windows server, use the following procedures.

• Note: These instructions assume that the servers have access to the Internet and/or Windows Update. For information about how to update certificates on disconnected servers, see the Microsoft article Configure Trusted Roots and Disallowed Certificates.

1. Create a folder location to hold downloaded files. This example uses C:\Certificates
2. Open an elevated (Administrator) command prompt.
3. Enter the following command to retrieve a listing of root certificates from Windows Update:
   
   certutil -GenerateSSTfromWU c:\Certificates\Rootcerts.sst
4. Open an elevated (Administrator) Powershell prompt.
5. Enter the following commands to import or update all root certificates:
   
   $file = ( Get-ChildItem -Path C:\Certificates\Rootcerts.sst )
   $file | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root 
6. The Powershell command result shows each certificate that is contained in the SST file. This list includes certificates that are already installed on the local machine.
   • You can also view the list of certificates in the Trusted Root Certification Authorities store by running the Windows CertLM utility, or the MMC Certificates snap-in for the local machine.

Notes:

• The CA certificates for SEG and ECM updates change very rarely.
  • In mid-2023, DigiCert began using a new root certificate (DigiCert Global Root G2). For more details see information from DigiCert.
  • In late 2024, LevelBlue began using certificates issued by Let's Encrypt from the ISRG Root X1.
• To ensure that WebMarshal is up to date with the latest CA certificates, you can script the certificate update to run once a week, using Windows Scheduled Tasks.
• Advanced users can choose which root certificates they wish to add. For basic information about this process, see the Microsoft article linked above.
• Certutil also provides a method to import certificates. However, this method does not correctly import all certificates from the SST files. LevelBlue strongly recommends the use of Powershell to import certificates.