Trusted root certificate is magically installed to Windows

元气小坏坏 提交于 2021-02-07 10:01:25

问题


On certain sites the certificate chain can not be built up to the trusted root certificate because this trusted root cert is not known to Windows. But if we visit such site using IE or Chrome, Windows automatically downloads (verified) the trusted root somewhere and silently installs it to Trusted Certificate Authorities storage. After this we can build the certificate chain up to the newly installed root. If we manually remove newly downloaded trusted root certificate from Windows storage, the chain can't be built again.

I know about Authority Information Access extension. The problem is that the topmost available certificate in the chain (the child of missing trusted root) does NOT have such extension included. And even if it had, Windows would not automatically trust the downloaded certificate.

So there must be some other source of knowledge about trusted roots. The question is - how can we use that source ourselves. The topmost available certificate is available here if anyone is interested in inspecting it.


回答1:


This link http://support.microsoft.com/kb/931125 explains how Windows updates root certificates silently in Vista and 7.




回答2:


Certificates contain an extension called "Authority Information Access" which contains the details of the issuing CA. An example of the certificate used for "https://gooogle.com" is shown below. The browser reads this value, downloads the certificate from the URL provided and repeats the process up the certificate chain.

google.com AIA Extension



来源:https://stackoverflow.com/questions/12122598/trusted-root-certificate-is-magically-installed-to-windows

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!