January 17, 2017 at 04:01

Windows has an internal list of unremovable root certificates

    On Windows, according to this information , root certificates are updated using the Certificate Trust List - CTL. Although it follows from the article that this is some kind of lotion for caching the list of certificates on the local server, the search helpfully suggests that there is authrootstl.cab , signed by Microsoft, which Windows, starting from 7, trusts unconditionally, and updates it every week, and in case of Installing KB3004394 Update - Every Day.


    In the console (MMC), you can add certificates that you do not trust, but deleting the root certificate is not so simple.



    Inspired by the recent scandal with the union of WoSign and StartCom, I decided to remove some dumb certificate from Windows 7. The choice fell on Izenpe.com (06 e8 46 27 2f 1f 0a 8f d1 84 5c e3 69 f6 d5), because the Basques and SHA- 1. But it was not there. After deleting the root certificate and logging into https://www.izenpe.com from Chrome 55.0.2883.87 m, the certificate appeared in the list of third-party root certification authorities, and, accordingly, in the list of trusted root certification authorities. Which, in principle, is expected.


    Google Chrome attempts to use the root certificate store of the underlying operating system to determine whether an SSL certificate presented by a site is indeed trustworthy, with a few exceptions.
    https://www.chromium.org/Home/chromium-security/root-ca-policy

    Repeat the trick with Firefox 50.1.0 did not work, they use their certificate store inside the browser. With Internet Explorer 11.0.9600.18163 the trick is repeated.


    It would seem that the culprits were found. But no, we take https://opensource.apple.com/source/security_certificates/security_certificates-55036/roots/Izenpe-RAIZ2007.crt and open it through the Encryption Shell Extensions, that is, double-click.


    And we see that the certificate is trusted.


    How's that? We go into the console and see that the ill-fated certificate is on the list of trusted root certificate authorities.


    Or maybe Windows pulls all unknown root certificates into trusted storage? We take OpenSSL, we generate the root certificate, we open. Untrusted.


    And I already rolled my lip that I will be able to sign my CA certificates for the github. Although none of the registry entries described in the technet article exist by default in either Windows 7 or Windows Server 2012, it can be seen that there is a hardcoded list of trusted certificates that is not visible in the registry, nor in group policies, nor in the management console.

    Tags:

    Also popular now: