- - CryptoAPI2 fetches a MS signed CAB file from ctldl.windowsupdate.com (Akami hosted)
- - CryptoAPI2 extracts the CAB and checks the signature. CAB file holds a list of authorized CAs/Root certs, that Windows will allow auto-fechting/updating for
- - If you open a website that Windows doesn't have a valid root cert for, that CA/Root cert will be looked up from the list (which is cached localy as far as I understood)
- - If the CA/Root cert is in that list, CryptoAPI2 will fetch that root certificate via http:// (yes, http not https) from ctldl.windowsupdate.com (the exact URL looks s. th. like this: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/<SKI of root cert>.crt)
- - If the DL is corrupt or times out (5 secs. or so), nothing happens and the process is not reproduced unless you restart your browser and open that website again
- - If DL succeeds, some validation mechanism checks the SKI and fingerprint of the certificate (I wasn't able to figure out, what exactly happens, but I couldn't just present a different root certificate. Windows wouldn't accept this).
- - If validation succeeds, the root cert is installed into the local trusted store
- The process can be blocked either by disabling it via GPO (on Windows 8 via Registry Entry) or by pointing DNS for ctldl.windowsupdate.com to 127.0.0.1/blocking requests to ctldl.windowsupdate.com
Windows CryptoAPI2 root certificate auto-update mechanism
a guest Mar 1st, 2015 358 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
RAW Paste Data