Guest User

Windows CryptoAPI2 root certificate auto-update mechanism

a guest
Mar 1st, 2015
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 1.35 KB | None | 0 0
  1. - CryptoAPI2 fetches a MS signed CAB file from (Akami hosted)
  2. - CryptoAPI2 extracts the CAB and checks the signature. CAB file holds a list of authorized CAs/Root certs, that Windows will allow auto-fechting/updating for
  3. - If you open a website that Windows doesn't have a valid root cert for, that CA/Root cert will be looked up from the list (which is cached localy as far as I understood)
  4. - If the CA/Root cert is in that list, CryptoAPI2 will fetch that root certificate via http:// (yes, http not https) from (the exact URL looks s. th. like this:<SKI of root cert>.crt)
  5. - If the DL is corrupt or times out (5 secs. or so), nothing happens and the process is not reproduced unless you restart your browser and open that website again
  6. - If DL succeeds, some validation mechanism checks the SKI and fingerprint of the certificate (I wasn't able to figure out, what exactly happens, but I couldn't just present a different root certificate. Windows wouldn't accept this).
  7. - If validation succeeds, the root cert is installed into the local trusted store
  9. The process can be blocked either by disabling it via GPO (on Windows 8 via Registry Entry) or by pointing DNS for to requests to
Add Comment
Please, Sign In to add comment