Microsoft removed root CA updates from WSUS in January 2013. I now have some fresh installs of Windows Server 2012 that have an insufficient set of root CAs (basically just Microsoft's own CAs). This means that whenever our application calls an https web service it will fail unless I specifically install the root CA.
Since our application uses SSL termination at a load balancer I don't need to worry about the 16KB SChannel limitation that prompted Microsoft to remove these updates. I'd like to find a resource to install and update standard root CAs. Does anyone know of such a resource?
Here is an image of the default root CAs in WS2012.
Best Answer
It seems that this is due to the oddball GPO that my company uses.
As outlined here the GPO setting Computer Configuration\Administrative Templates\System\Internet Communication Management\Turn off Automatic Root Certificates Update was Enabled, meaning that the OS wouldn't pull root CAs from Microsoft. Setting this to Disabled fixed the issue.