http://support.microsoft.com/kb/931125
"
Windows Server 2003, Windows Server 2008, Windows Server 2008 R2
The automatic root update mechanism is enabled on Windows Server 2008 and later, but not on Windows Server 2003. Windows Server 2003 supports the automatic root update mechanism only partially, equivalent to the support on Windows XP. And since the root update package is intended for Windows XP client SKUs only, it is not intended for Windows Server SKUs. However, the root update package may be downloaded and installed on Windows Server SKUs, subject to the following restrictions.
If you install the root update package on Windows Server SKUs, you may exceed the limit for how many root certificates that Schannel can handle when reporting the list of roots to clients in a TLS or SSL handshake, as the number of root certificates distributed in the root update package exceeds that limit. When you update root certificates, the list of trusted CAs increases significantly in size and may cause the list to grow too long. The list is then truncated and may cause problems with authorization. This behavior may also cause Schannel event ID 36885. In Windows Server 2003, the issuer list cannot be greater than 0x3000. For more information about this issue, click the following article number to view the article in the Microsoft Knowledge Base: 933430 Clients cannot make connections if you require client certificates on a Web site or if you use IAS in Windows Server 2003.
NOTE: These limitations only apply if you have SSL client authentication enabled on Windows Server.
"
Ansonsten (wenn die Root CAs ok sind) ist das neue GAD Zertifikat im Browser gültig (IE).
Wenn aber das Program nicht die Gültigkeitsprüfung des IE nutzt, muss das Bankprogram das neue Zertifikat von sich aus kennen und als gültig erachten. Das geht dann nur mit einem Programmupdate.