Citrix StoreFront Console Error: The management console is unavailable because a root certificate is missing. Go to VeriSign and download the certificate ‘VeriSign Class 3 Primary CA – G5’

We were receiving the error “The Management Console is unavailable because a root certificate is missing. Go to VeriSign and download the certificate “VeriSign Class 3 Primary CA – G5” on a newly installed StoreFront Server (3.12 from the 7.15CU1 release) console. I had remembered seeing this issue several StoreFront iterations ago, and googled to see if the issue had cropped up again. At the bottom of an old Citrix discussion post (https://discussions.citrix.com/topic/382558-the-management-console-is-unavailable-because-a-root-certificate-is-missing/?page=2) there was the following workaround registry change just recently posted:

HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot
DWORD: DisableRootAutoUpdate
VALUE: 0

Root CA auto-update will automatically check a list of trusted certificate authorities in the Certificate Trust List (CTL). If the application presents a certificate that is NOT on the CTL, the feature will reach out to the Windows Update Site. Stored CTLs are appropriate for disconnected or air-gapped environments, according to the Microsoft documentation for Server 2012R2 (https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn265983(v=ws.11)), and disabling automatic updates for trusted CTLs is recommended.

Additionally, the DISA Security Technical Implementation Guide (STIG) states that root certificates must not be updated automatically from the Microsoft site. If the DisableRootAutoUpdate registry key does not have a value of 1 (enabled), this is a finding of Low Severity (Finding ID: V-15671).

In our environment, the group policy “Turn Off Automatic Root Certificates Update” in Computer Configuration > Administrative Templates > System > Internet Communication Management > Internet Communication settings > “Turn Off Automatic Root Certificates Update” is set to “Enabled”. By changing the registry key above on the StoreFront server to 0, the console did in fact start working, however, after reboot, the policy was reapplied (changing the key value to 1) and the console continued to work.

In the event log, there were CryptoAPI update events “Event ID 4: Successful auto update retrieval of third-party root certificate…”. After the reboot, the automatic update was disabled and no further CAPI events were seen. If there is no list of trusted CAs on the local computer, or that list is not in sync with the global CTL, this key will need to be set to 0 temporarily in order to update the local file.