Microsoft Root Certificate Bundle, where?
MS root cert docs indicate they switched at vista from manual/auto downloadable updates to some form of OS online on the fly only auto update system. Where link at microsoft can one still download a file containing their entire current root cert bundle in some parseable format? It has to be somewhere near here but I'm dense today... http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction... ex: mozilla is here https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu...
On 20 November 2014 at 21:31, grarpamp <grarpamp@gmail.com> wrote:
MS root cert docs indicate they switched at vista from manual/auto downloadable updates to some form of OS online on the fly only auto update system. Where link at microsoft can one still download a file containing their entire current root cert bundle in some parseable format?
I don't know. But I know some copy of it can be accessed here: https://github.com/nabla-c0d3/sslyze/blob/master/plugins/data/trust_stores/m... I don't know how it's generated, how complete it is, or how up to date it is. Depending on your needs to may be sufficient, or may be unusable. -tom
On 21. 11. 2014 4:31, grarpamp wrote:
MS root cert docs indicate they switched at vista from manual/auto downloadable updates to some form of OS online on the fly only auto update system. Where link at microsoft can one still download a file containing their entire current root cert bundle in some parseable format?
It has to be somewhere near here but I'm dense today... http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction...
ex: mozilla is here https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu...
This might help http://unmitigatedrisk.com/?p=259 also check http://catalog.update.microsoft.com/v7/site/Search.aspx?q=root%20certificate... for recent version of the CTL. HTH Martin
On Tue, Nov 25, 2014 at 3:08 AM, Martin Rublik <martin.rublik@gmail.com> wrote:
This might help http://unmitigatedrisk.com/?p=259 also check
That seems to reference old MS cert distribution models and cert data stores. And uses cloudflare captcha.
http://catalog.update.microsoft.com/v7/site/Search.aspx?q=root%20certificate... for recent version of the CTL.
"To use this Web site's full functionality, you must be running Microsoft Internet Explorer 6.0 or later. If you prefer to use a different Web browser, you can get updates from the Microsoft Download Center." So what whole cert stores do you see here at your link above? I believe they may not include anything Vista or beyond. Most specifically, any entire cert store dated at or beyond the Sep 29, 2014 update linked in my former post subtitled 'Windows Root CA Members / September 2014 Root Certificates Update'. If available as such, please advise and I'll enable MSIE browsing your link to obtain.
On 26. 11. 2014 4:19, grarpamp wrote:
On Tue, Nov 25, 2014 at 3:08 AM, Martin Rublik <martin.rublik@gmail.com> wrote:
This might help http://unmitigatedrisk.com/?p=259 also check
That seems to reference old MS cert distribution models and cert data stores. And uses cloudflare captcha.
I'm sorry if I provided outdated information. Anyway I think that Microsoft still uses CTLs in order to update the trust store. For the reference see for example https://support.microsoft.com/kb/2677070 or https://technet.microsoft.com/en-us/library/security/2982792.aspx CTLs can be downloaded using any browser on these URLs: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disal... http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authr... Unfortunatelly, the CTL does not contain entire certificate only its hash, but using the link provided you can download the certificates. If you have a Windows machine with certutil you can parse and download the CTL with a simple powershell script: certutil -dump .\authroot.stl | findstr "Identifier:" | ForEach-Object -Process { $caCertSKI=$_.split(":")[1].Replace(" ","") $caCertSKI Invoke-WebRequest "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/e..." -OutFile "$caCertSKI.crt"} Martin
On 11/25/14, grarpamp <grarpamp@gmail.com> wrote:
... "To use this Web site's full functionality, you must be running Microsoft Internet Explorer 6.0 or later. If you prefer to use a different Web browser, you can get updates from the Microsoft Download Center."
So what whole cert stores do you see here at your link above?
what this means is: to get the certificate store you run a current version of windows. to run a current version of windows, run windows update or download the updates directly from Microsoft Download Center. if you don't want to run windows, then why do you care about windows certs? (we know the answer, but M$ says sod off)
MS root cert docs indicate they switched at vista from manual/auto downloadable updates to some form of OS online on the fly only auto update system.
Where link at microsoft can one still download a file containing their entire current root cert bundle in some parseable format?
It has to be somewhere near here but I'm dense today... http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction...
ex: mozilla is here https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu...
Hi :) Can you document in a doc file in your repo as to where and how you are obtaining all the trust stores found below? I forgot about the others besides MS/Mozilla. Such documentation would be valuable to the community. https://github.com/nabla-c0d3/sslyze/tree/master/plugins/data/trust_stores
participants (4)
-
coderman -
grarpamp -
Martin Rublik -
Tom Ritter