FAQ
•
September 2023
July 2023
Are you stressing about the next software update?
"For the Windows OS to run smoothly, all system updates must be installed." You've probably heard this phrase countless times, but have you ever considered its true meaning? As software developers, it's essential to focus on the tangible aspec
Before We Start
Let's go over why you need to keep Windows up to date.
- Security: Protect your system from vulnerability exploit attacks by applying the latest security patches. Also, by updating, you ensure ongoing support from the Microsoft side.
- Stability: Updates often include bug fixes and performance improvements that can help prevent crashes, freezes, and other issues that affect the system's stability.
- Compatibility: compatibility with new software and hardware components and top-notch cloud services.
- New features: Updates often also introduce new OS features and capabilities. These may improve productivity, enhance security, or provide new user functionality.
- Regulatory compliance: In some industries, regulatory requirements mandate the use of updated software to ensure compliance. Failure to comply with these requirements can result in fines, legal penalties, or other negative consequences.
- Avoid downtime: Installing updates takes less time than handling the results of an exploited security flaw or a compatibility issue and does not involve lost productivity, revenue, and customer satisfaction.
A Closer Look at Security Certificates: Addressing the Issue on Your Server. How they work.
Have you ever wondered how security certificates work? They are digital files that verify the authenticity of websites or software applications, helping you access legitimate content without being redirected to fake or malicious sites. Certificates establish trust between you and the target software, ensuring that a third party does not access or modify your data.
While security checks usually happen automatically, issues such as an expired certificate may sometimes prevent your browser from connecting to a site. In this article, we'll delve more into this specific aspect of security certificates and explore ways to address the issue on your server if it doesn't have access to Windows updates.
In terms of CORTROL software, it is all the same. If you keep your OS up to date and download the software from the official website, everything will be smooth and silent. Meanwhile, what happens in the background:
- We sign CORTROL software with a Code Signing Certificate issued by a certification authority. Each certificate is valid for a specific period.
- Your OS must know about those newly issued certificates. Otherwise, it cannot trust the certificate inside the new software version.
- Windows also receives the latest information about the released trusted certificates when it downloads updates.
And What if They Don't
It is possible to encounter problems in the following scenarios:
- If the latest software version is signed with a new certificate not included in the trusted certificate list on the local machine, you may not be able to install it.
- When your OS root certificate expires, any validated certificates are no longer trusted. This can cause already running software to stop functioning. In the first case, you will immediately know about the problem when starting the installation. Or even not know about it at all if the computer is connected to the internet, as the OS will download the required certificate on demand. The second case poses a more serious issue, as you will not get any notifications about the situation.
How Will You Know?
How can you determine if there is an issue with the CORTROL certificate? A typical symptom is that your CORTROL clients won't connect to the server, as if it does not exist or is not running at the target address. Of course, this behavior is also typical when CORTROL services are stopped, so verify that the services are running and that you are using the correct addresses. Next, run the netstat command from the Windows Command Line: your CORTROL TCP and HTTP/HTTPS ports (60554 and 8080 by default) must be LISTENING.
So, again, if the troubleshooting reveals that
- CORTROL services are up and running, but CORTROL server ports are not open, and
- As a result, upon connection attempt, CORTROL Console/Monitor produces the "No connection could be made because the target machine actively refused it" error (even if it should be another error, e.g., wrong password), and
- When you check the digital signature in the properties of the CORTROL .exe files, you see that Windows cannot validate the certificate, the certificate is likely causing the problem.
How to Fix It
Option 1: If a newer software version exists, install it and see if it helps. However, if the certificate is valid (not outdated), the next version will likely use the same one.
Option 2: Downgrade to the previous software version. This may be a temporary fix if you need the newest CORTROL features.
Option 3: Install the required certificates. You must manually update the credentials below to avoid automatically receiving regular OS updates. The general plan is to use a computer with Internet access to download the complete list of current root certificates and then install the credentials from that file on the offline server.
Download
On a computer with Internet access (e.g., your laptop), use certutil.exe — a CLI tool built into Windows 10 and 11 and a part of Certificate Services in Windows Server — for certificate management. To generate the file, open the command prompt with elevated rights (cmd.exe >Run As > Administrator) and type:
C:\Windows\System32>certutil.exe -generateSSTFromWU C:\roots.sst
where C:\roots.sst is the path to the SST file to be generated. If you put it into a directory, ensure the folder exists; otherwise, you will get an error like the one shown in the snapshot. You can first navigate to the target directory and use the command without the path parameter.
Import
Copy the SST file to the server that doesn't have the updates and Internet access, and do the following there:
- Click Start > Run (or Win key +R) to open the prompt window, then type certmgr.msc to open the certificate manager (alternatively, type certmgr in the Windows search panel and open the certificate management).
- Right-click the "Trusted Root Certification Authorities" node > All Tasks > Import.
- In the wizard, click Next > Browse for files > change the target file type to "All Files" to include the SST file type > select your imported SST file.
- Choose the "Place all certificates in the following store" option, where "Trusted Root Certification Authorities" should be pre-specified (see snapshot).
- Click Next to proceed, then click Finish.
You must click the confirming "Yes" many times, once for every certificate in the .sst file. At that point, you will probably swear to enable automatic updates the next thing.
Luckily, there is a much quicker way to import the whole lot — by using the Windows PowerShell with the following commands (remember to adjust the file path according to yours):
$sstStore = (Get-ChildItem -Path C:\roots.sst )
$sstStore | Import-Certificate -CertStoreLocation Cert:\LocalMachine\Root
After that, the only thing left is running the certmgr.msc snap-in and ensure all certificates have been added to the Trusted Root Certification Authorities list. The list must contain many more certificates compared to the original one!
In conclusion, it is essential to keep your Windows servers up to date with the latest updates for optimal security and system performance. This helps to safeguard customer data against potential threats and ensure smooth operation. However, in cases where security levels in specific locations do not permit online access, it may be necessary to utilize manual maintenance techniques.