Microsoft Root Certificate Bundle, where? - cypherpunks - lists.cpunks.org

newer
Re: [Cryptography] STARTTLS, was...

Microsoft Root Certificate Bundle, where?

older
Deanonymisation of clients in...

grarpamp

21 Nov 2014 21 Nov '14

3:31 a.m.

MS root cert docs indicate they switched at vista from manual/auto downloadable updates to some form of OS online on the fly only auto update system. Where link at microsoft can one still download a file containing their entire current root cert bundle in some parseable format? It has to be somewhere near here but I'm dense today... http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction... ex: mozilla is here https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu...

Reply

Sign in to reply online Use email software

Show replies by date

Tom Ritter

23 Nov 23 Nov

2:24 a.m.

On 20 November 2014 at 21:31, grarpamp wrote:

MS root cert docs indicate they switched at vista from manual/auto downloadable updates to some form of OS online on the fly only auto update system. Where link at microsoft can one still download a file containing their entire current root cert bundle in some parseable format?

I don't know. But I know some copy of it can be accessed here: https://github.com/nabla-c0d3/sslyze/blob/master/plugins/data/trust_stores/m... I don't know how it's generated, how complete it is, or how up to date it is. Depending on your needs to may be sufficient, or may be unusable. -tom

Reply

Sign in to reply online Use email software

Martin Rublik

25 Nov 25 Nov

8:08 a.m.

On 21. 11. 2014 4:31, grarpamp wrote:

MS root cert docs indicate they switched at vista from manual/auto downloadable updates to some form of OS online on the fly only auto update system. Where link at microsoft can one still download a file containing their entire current root cert bundle in some parseable format?

It has to be somewhere near here but I'm dense today... http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction...

ex: mozilla is here https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu...

This might help http://unmitigatedrisk.com/?p=259 also check http://catalog.update.microsoft.com/v7/site/Search.aspx?q=root%20certificate... for recent version of the CTL. HTH Martin

Reply

Sign in to reply online Use email software

grarpamp

26 Nov 26 Nov

3:19 a.m.

On Tue, Nov 25, 2014 at 3:08 AM, Martin Rublik wrote:

This might help http://unmitigatedrisk.com/?p=259 also check

That seems to reference old MS cert distribution models and cert data stores. And uses cloudflare captcha.

http://catalog.update.microsoft.com/v7/site/Search.aspx?q=root%20certificate... for recent version of the CTL.

"To use this Web site's full functionality, you must be running Microsoft Internet Explorer 6.0 or later. If you prefer to use a different Web browser, you can get updates from the Microsoft Download Center." So what whole cert stores do you see here at your link above? I believe they may not include anything Vista or beyond. Most specifically, any entire cert store dated at or beyond the Sep 29, 2014 update linked in my former post subtitled 'Windows Root CA Members / September 2014 Root Certificates Update'. If available as such, please advise and I'll enable MSIE browsing your link to obtain.

Reply

Sign in to reply online Use email software

Martin Rublik

28 Nov 28 Nov

8:36 a.m.

On 26. 11. 2014 4:19, grarpamp wrote:

On Tue, Nov 25, 2014 at 3:08 AM, Martin Rublik wrote:

...
This might help http://unmitigatedrisk.com/?p=259 also check

That seems to reference old MS cert distribution models and cert data stores. And uses cloudflare captcha.

I'm sorry if I provided outdated information. Anyway I think that Microsoft still uses CTLs in order to update the trust store. For the reference see for example https://support.microsoft.com/kb/2677070 or https://technet.microsoft.com/en-us/library/security/2982792.aspx CTLs can be downloaded using any browser on these URLs: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disal... http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authr... Unfortunatelly, the CTL does not contain entire certificate only its hash, but using the link provided you can download the certificates. If you have a Windows machine with certutil you can parse and download the CTL with a simple powershell script: certutil -dump .\authroot.stl | findstr "Identifier:" | ForEach-Object -Process { $caCertSKI=$_.split(":")[1].Replace(" ","") $caCertSKI Invoke-WebRequest "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/e..." -OutFile "$caCertSKI.crt"} Martin

Reply

Sign in to reply online Use email software

coderman

8:50 a.m.

On 11/25/14, grarpamp wrote:

... "To use this Web site's full functionality, you must be running Microsoft Internet Explorer 6.0 or later. If you prefer to use a different Web browser, you can get updates from the Microsoft Download Center."

So what whole cert stores do you see here at your link above?

what this means is: to get the certificate store you run a current version of windows. to run a current version of windows, run windows update or download the updates directly from Microsoft Download Center. if you don't want to run windows, then why do you care about windows certs? (we know the answer, but M$ says sod off)

Reply

Sign in to reply online Use email software

grarpamp

26 Nov 26 Nov

3:09 a.m.

MS root cert docs indicate they switched at vista from manual/auto downloadable updates to some form of OS online on the fly only auto update system.

Where link at microsoft can one still download a file containing their entire current root cert bundle in some parseable format?

It has to be somewhere near here but I'm dense today... http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction...

ex: mozilla is here https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/bu...

Hi :) Can you document in a doc file in your repo as to where and how you are obtaining all the trust stores found below? I forgot about the others besides MS/Mozilla. Such documentation would be valuable to the community. https://github.com/nabla-c0d3/sslyze/tree/master/plugins/data/trust_stores

Reply

Sign in to reply online Use email software

3583

Age (days ago)

3590

Last active (days ago)

Download

6 comments

4 participants

tags

participants (4)

coderman
grarpamp
Martin Rublik
Tom Ritter