Some instructions we received from Microsoft:
You can visit
https://www.microsoft.com/downloads...FamilyID=c14f8940-71b7-41e3-8749-a00e01e22f17 to download and install the Root Update Package (the package of every root certificate in the Windows Root Certificate Program, including the StartCom root certificate).
You can also invoke automatic root update of new root certificates by visiting an https URL protected with a certificate that chains up to your root certificate. _Please note however the issues about relying on automatic root update and the likely necessity of clearing the Windows CRL cache on your own systems to allow it to work_.
*A note on Windows Update mechanics and the Windows CRL cache*. Often when corresponding with CAs after a root distribution, we hear that their new root certificate does not download automatically from Windows Update when they visit a website hosting a certificate that chains to it. This is because Windows draws a copy of a root certificate from its CRL cache before it visits Windows Update, and often an earlier version of a CA’s root certificate is present in the CRL cache even when they have deleted that root certificate from their system (removing a root certificate from a certificate store does not clear the CRL cache of that certificate). Windows is set to update its CRL cache and other services once a week, which can mean it will take one week for Windows XP or Vista to overcome the CRL cache issue naturally. Deleting the CRL cache, however, forces Windows to visit the Windows Update site and dynamically download the most current root certificates. I find that with the CRL cache cleared, an XP, Vista or Windows 7 machine will properly download a new root certificate from Windows Update.
Steps to clear the CRL cache:
On Windows XP:
1. Delete everything in the folder %Appdata%\Microsoft\CryptnetUrlCache (including subdirectories);
2. Delete (remove) any of your root certificates in the root store (from Internet Explorer select Tools / Internet Options / Content / Certificates, then delete (Remove) your root certificates, if present, from the Trusted Root Certificate store.
3. Restart all instances of IE. Make sure you shutdown all instances of IE before restarting it.
On Windows Vista:
1. Delete everything in C:\Users\[username]\AppData\LocalLow\Microsoft\CryptnetUrlCache (including subdirectories).
2. Delete your root certificates from the Microsoft Management Console with the Certificates snap-in From the Vista prompt, Start / Run / certmgr.msc).
1. Restart all instances of IE.
On Windows 7:
1. Delete everything in C:\Users\[username]\AppData\LocalLow\Microsoft\CryptnetUrlCache (including subdirectories).
2. Delete your root certificates from the Microsoft Management Console with the Certificates snap-in From the Windows 7 prompt, Start / Run / certmgr.msc).
3. At a command prompt, run “certutil –urlcache * delete” to remove any remaining cached root update CTLs.
4. Restart all instances of IE.
You will need to remove **any** semblance of the Windows CRL cache to see proper root certificate download behavior. Your customers may have difficulties following instructions to clear the CRL cache on their systems. Remember, the CRL cache is updated once a week, so proper root certificate update behavior will commence for all Windows users no later than one week.
Notes:
On Windows Vista and later, \AppData is a hidden directory, make it visible by typing %temp% in the address bar.
If you cannot delete the \CryptUrlCache subdirectory or its contents, it may be held by crypto services; at a command prompt (w/Administrator privileges) stop the cryptographic services
net stop cryptsvc
then restart them again
net start cryptsvc
Delete \CryptUrlCache and its contents. Close all IE, then visit the test website once more.
