PKI Tutorials - Herong's Tutorial Examples - Version 2.04, by Dr. Herong Yang
Windows Automatic Root Update Mechanism
This section describes the automated process used by Windows to communicate to Windows Update Web site to fetch a trusted root certificate and install it on the local computer, whenever the root certificate is needed.
To understand better why IE 10 is automatically reinstall a trusted root certificate on my computer, I did a quick research and found this article "How to get a Root Certificate update for Windows" on Microsoft Web site:
How Windows updates root certificates - Microsoft has introduced new root update mechanisms in different versions of Microsoft Windows. These mechanisms have progressively focused on distributing fewer root certificates, but on making distributions as seamless as possible when a root certificate is required and is distributed through the Windows Root Certificate Program. ...
Windows Vista and Windows 7 - Root certificates on Windows Vista and later versions are distributed through the automatic root update mechanism. That is, they are distributed through the root certificate. When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error.
Now I understand better what happened in my previous tutorial:
On Windows 7, there seems to have no way to turn off the automatic root update mechanism.
But on Windows XP, the automatic root update mechanism is called "Update Root Certificates" component and you can turn it off. See other tutorials in the book for more details.
Last update: 2015.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
►Using HTTPS with IE (Internet Explorer) 10
Visiting "https" Web Site with IE 10
Viewing Server Certificate Details in IE 10
Viewing Server Certificate Path in IE 10
Installing Server Certificate Permanently in IE 10
Viewing Certificates in Certificate Stores in IE 10
Listing of Trusted Root CA in IE 10
Exporting Certificate to File from IE 10
Saving Server Certificate to File with IE 10
Deleting Certificates from IE 10
IE 10 Supporting Multiple Certificate Paths
IE 10 Reinstalling Root Certificates Automatically
►Windows Automatic Root Update Mechanism
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
Certificate Stores and Certificate Console
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Digital Signature - Microsoft Word 2007
Digital Signature - OpenOffice.org 3