Windows Automatic Root Update Mechanism

This section describes the automated process used by Windows to communicate to Windows Update Web site to fetch a trusted root certificate and install it on the local computer, whenever the root certificate is needed.

To understand better why IE 10 is automatically reinstall a trusted root certificate on my computer, I did a quick research and found this article "How to get a Root Certificate update for Windows" on Microsoft Web site:

How Windows updates root certificates - Microsoft has introduced new root update mechanisms in different versions of Microsoft Windows. These mechanisms have progressively focused on distributing fewer root certificates, but on making distributions as seamless as possible when a root certificate is required and is distributed through the Windows Root Certificate Program. ...

Windows Vista and Windows 7 - Root certificates on Windows Vista and later versions are distributed through the automatic root update mechanism. That is, they are distributed through the root certificate. When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error.

Now I understand better what happened in my previous tutorial:

On Windows 7, there seems to have no way to turn off the automatic root update mechanism.

But on Windows XP, the automatic root update mechanism is called "Update Root Certificates" component and you can turn it off. See other tutorials in the book for more details.

Last update: 2015.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

Using HTTPS with IE (Internet Explorer) 10

 Visiting "https" Web Site with IE 10

 Viewing Server Certificate Details in IE 10

 Viewing Server Certificate Path in IE 10

 Installing Server Certificate Permanently in IE 10

 Viewing Certificates in Certificate Stores in IE 10

 Listing of Trusted Root CA in IE 10

 Exporting Certificate to File from IE 10

 Saving Server Certificate to File with IE 10

 Deleting Certificates from IE 10

 IE 10 Supporting Multiple Certificate Paths

 IE 10 Reinstalling Root Certificates Automatically

Windows Automatic Root Update Mechanism

 Using HTTPS with Chrome 40

 Using HTTPS with Firefox 35

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

 Java Programs Communicating with HTTPS Servers

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Digital Signature - Microsoft Word 2007

 Digital Signature - 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials


 PDF Printing Version