daily pastebin goal
26%
SHARE
TWEET

Windows CryptoAPI2 root certificate auto-update mechanism

a guest Mar 1st, 2015 354 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. - CryptoAPI2 fetches a MS signed CAB file from ctldl.windowsupdate.com (Akami hosted)
  2. - CryptoAPI2 extracts the CAB and checks the signature. CAB file holds a list of authorized CAs/Root certs, that Windows will allow auto-fechting/updating for
  3. - If you open a website that Windows doesn't have a valid root cert for, that CA/Root cert will be looked up from the list (which is cached localy as far as I understood)
  4. - If the CA/Root cert is in that list, CryptoAPI2 will fetch that root certificate via http:// (yes, http not https) from ctldl.windowsupdate.com (the exact URL looks s. th. like this: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/<SKI of root cert>.crt)
  5. - If the DL is corrupt or times out (5 secs. or so), nothing happens and the process is not reproduced unless you restart your browser and open that website again
  6. - If DL succeeds, some validation mechanism checks the SKI and fingerprint of the certificate (I wasn't able to figure out, what exactly happens, but I couldn't just present a different root certificate. Windows wouldn't accept this).
  7. - If validation succeeds, the root cert is installed into the local trusted store
  8.  
  9. The process can be blocked either by disabling it via GPO (on Windows 8 via Registry Entry) or by pointing DNS for ctldl.windowsupdate.com to 127.0.0.1/blocking requests to ctldl.windowsupdate.com
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top