I've been trying to find a "good" answer to how to deal with this issue and I really can't find some solid advice. Recently the Microsoft Trusted Root Certificate Updates have exceeded the acceptable limits that were originally set within Windows. I have apps that are now failing because there are > 200 entires in the Trusted Root Certificate Store. SChannel Errors are showing up on a TON of servers. The only advice I've found is to "manage" the store. This is kind of a nebulous term. I've gone in to one of these servers and removed expired certificates from this store and then I'm trying to figure out how best to 'prune' valid ones? I'm guessing the ramification is that if we have communications issues due to TLS/SSL errors we should see who the signing authority is to resolve this issue. Is there any good guidance on how to prune this list with the least amount of potential problems? Is there any guidance on how to do it for 163 servers in an enterprise?
↧