Microsoft Root Certificate Bundle, where?

Martin Rublik martin.rublik at gmail.com
Fri Nov 28 00:36:07 PST 2014


On 26. 11. 2014 4:19, grarpamp wrote:
> On Tue, Nov 25, 2014 at 3:08 AM, Martin Rublik <martin.rublik at gmail.com> wrote:
>> This might help http://unmitigatedrisk.com/?p=259 also check
> 
> That seems to reference old MS cert distribution models
> and cert data stores. And uses cloudflare captcha.

I'm sorry if I provided outdated information. Anyway I think that Microsoft
still uses CTLs in order to update the trust store. For the reference see for
example https://support.microsoft.com/kb/2677070 or
https://technet.microsoft.com/en-us/library/security/2982792.aspx

CTLs can be downloaded using any browser on these URLs:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Unfortunatelly, the CTL does not contain entire certificate only its hash, but
using the link provided you can download the certificates.

If you have a Windows machine with certutil you can parse and download the CTL
with a simple powershell script:

certutil -dump .\authroot.stl | findstr "Identifier:" | ForEach-Object -Process {
	$caCertSKI=$_.split(":")[1].Replace(" ","")
	$caCertSKI
	Invoke-WebRequest
"http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/$caCertSKI.crt"
-OutFile "$caCertSKI.crt"}



Martin



More information about the cypherpunks mailing list