Guest User

Windows CryptoAPI2 root certificate auto-update mechanism

a guest
Mar 1st, 2015
410
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. - CryptoAPI2 fetches a MS signed CAB file from ctldl.windowsupdate.com (Akami hosted)
  2. - CryptoAPI2 extracts the CAB and checks the signature. CAB file holds a list of authorized CAs/Root certs, that Windows will allow auto-fechting/updating for
  3. - If you open a website that Windows doesn't have a valid root cert for, that CA/Root cert will be looked up from the list (which is cached localy as far as I understood)
  4. - If the CA/Root cert is in that list, CryptoAPI2 will fetch that root certificate via http:// (yes, http not https) from ctldl.windowsupdate.com (the exact URL looks s. th. like this: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/<SKI of root cert>.crt)
  5. - If the DL is corrupt or times out (5 secs. or so), nothing happens and the process is not reproduced unless you restart your browser and open that website again
  6. - If DL succeeds, some validation mechanism checks the SKI and fingerprint of the certificate (I wasn't able to figure out, what exactly happens, but I couldn't just present a different root certificate. Windows wouldn't accept this).
  7. - If validation succeeds, the root cert is installed into the local trusted store
  8.  
  9. The process can be blocked either by disabling it via GPO (on Windows 8 via Registry Entry) or by pointing DNS for ctldl.windowsupdate.com to 127.0.0.1/blocking requests to ctldl.windowsupdate.com
RAW Paste Data