3

On certain sites the certificate chain can not be built up to the trusted root certificate because this trusted root cert is not known to Windows. But if we visit such site using IE or Chrome, Windows automatically downloads (verified) the trusted root somewhere and silently installs it to Trusted Certificate Authorities storage. After this we can build the certificate chain up to the newly installed root. If we manually remove newly downloaded trusted root certificate from Windows storage, the chain can't be built again.

I know about Authority Information Access extension. The problem is that the topmost available certificate in the chain (the child of missing trusted root) does NOT have such extension included. And even if it had, Windows would not automatically trust the downloaded certificate.

So there must be some other source of knowledge about trusted roots. The question is - how can we use that source ourselves. The topmost available certificate is available here if anyone is interested in inspecting it.

Eugene Mayevski 'Callback
  • 45,135
  • 8
  • 71
  • 121

3 Answers3

3

This link http://support.microsoft.com/kb/931125 explains how Windows updates root certificates silently in Vista and 7.

José
  • 46
  • 4
1

I also stumbled on this multiple times. It can be reproduced easily using windows sandbox. If you use curl or similar certificates can not be verified. Only if you call WinHttpOpen the root certificate (if trusted) will be added to the root certificate store. See this post

Largo
  • 320
  • 2
  • 6
0

Certificates contain an extension called "Authority Information Access" which contains the details of the issuing CA. An example of the certificate used for "https://gooogle.com" is shown below. The browser reads this value, downloads the certificate from the URL provided and repeats the process up the certificate chain.

google.com AIA Extension

akton
  • 14,148
  • 3
  • 43
  • 47
  • I mentioned in the question that (a) we use this extension, (b) there's no such extension present in the certificate in question, and (c) even if it were present, neither Windows nor any other software would trust the certificate referenced by the extension. Meanwhile Windows downloads the certificate and installs it to trusted roots. Which implies, that Windows uses not the AIA extension but some other source of knowledge. – Eugene Mayevski 'Callback Aug 31 '12 at 13:37
  • I am sorry for misinterpreting your question. You mentioned the "Subject Authority Information" extension and I wasn't sure which one you meant. As for it being absent from the topmost intermediate CA and it still working, I am do not know the answer. If I find out, I'll let you know. – akton Aug 31 '12 at 14:06
  • Who knows what I was thinking about when writing the extension name... Thank you for noticing this, I've updated the question. – Eugene Mayevski 'Callback Aug 31 '12 at 15:05