Vista and Win7 use an automatic root-certificate update mechanism. http://support.microsoft.com/kb/931125 If the user's browsing hasn't cached the root we use for webauth, they will get a cert warning -- even if the webauth cert is valid and signed...