How to add a self signed 3rd party root certificate without getting it auto-deleted (observable by EventId 4108) RRS feed

  • Question

  • In a production environment, on a standalone 2012R2 server, I’ve added a “self-signed CA certificate” into “Local Machine -> “Third Party Root Certification Authorities”.

    "Occasionally", this certificate gets deleted, with a trace in the eventlog (Source CAPI2, eventid 4108, “Successful auto delete of third-party root certificate…”). My workaround now is an eventlog trigger on 4108 and then re-add the cert into the store (which works but is a dirty solution and it means I need to have the private key stored on disk in order to re-add it).

    I’m looking for best practice how to prevent this from happening.

    • The computer is not member of a domain, so I cannot deploy the certificate through a GPO, and it doesn’t seem possible to deploy using a “Local GPO”) (correct?)
    • For several reasons I don’t want to use a setup and configure acomplete Windows PKI infrastructure in this case. All I want to do is to store a self-signed CA certificate in “Third Party Root Certification Authorities” and prevent it from getting deleted by Windows.
    • I know there’s a way to “Turn off Automatic Root Certificates Update”, but then I disable ALL root certificate – but that’s  a poor workaround that reduces security on my system.

     My questions

    • Can you please explain if it’s possible to disable deletion of self-signed certificates from “Third Party Root Certification Authorities” without having to setting the entire “Turn off Automatic Root Certificates Update”? Or can I in some way define that “My certificate with this particular thumbprint” shouldn’t get deleted?
    • Can you please explain what triggers this 4108 event? I’ve seen that it happens on certain times, but haven’t really been able to correlate if it happens on some GPO update interval, or if it’s some Windows Update that triggers it.
    • If it isn’t possible to prevent this deletion from happen, do you have some other suggestion (other than trigger on the 4180 event and re-add the certificate) to add a self-signed CA certificate to a store?

    Thanks in advance :)

    Friday, May 20, 2016 8:57 AM