This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Certificate Count in the Trusted Root Certificate Authorities store exceeds 200

When applying the 1.85 RC upgrade, the prerequisite checker reports that the certificate count in the 'Trusted Root Certificate Authorities' store exceeds 200 and that some certificates should be removed. We have had fallout from this issue with other services following Microsoft's recent root certificate update and worked around it by modifying a registry key on those servers that prevents them from sending the CA list and hitting the byte limit that causes the issue, but no one could offer any advice on exactly how to determine which root certificates should be removed. Does anyone here know? Surely we would create some issues by just selecting a bunch and deleting them, but how can we know which Root CAs are needed and which aren't?

  • Hi Andrew,

    Here's a snippet from the following KB article:

    SolarWinds Knowledge Base :: ERROR: All management servers are unavailable for management group. 200 certificates

    The following are examples of certificates that are generally considered safe to delete:

    Expired certificates

    Unknown foreign certificates

    Certificates with a key-length of 1024 bits or smaller

  • Thanks for the KB link, that information was helpful, but unfortunately didn't resolve the issue for us. From the certificate manager I was able to sort the certificates in the Third-Party Root Certification Authorities store by expiration date and delete the expired ones, but I was still left with 310 certificates - well over the 200 limit, and I could find no way way to find and/or delete certificates with a key-length of 1024 bits and smaller. Also, the KB article suggests deleting "unknown foreign certificates", but I was not sure how one identifies these. I saw many CA names listed that I'm not personally familiar with, or that have apparently non-english names, but I don't think that necessarily qualifies them as unneeded.

    After some research, I discovered that MS has released a KB about this very specific issue:

    SSL/TLS communication problems after you install KB 931125.

    In it, they acknowledge that a December root certificate update package intended for clients was mistakenly offered for servers for a short time. This update package contained over 330 Third-Party Root CAs and creates this issue. The recommended fix is to delete all Third-Party Root Certificate Authorities and allow them to be re-applied by Windows Update (after expiring the bad 931125 update).

    See also, Windows root certificate program members