PKI Tutorials - Herong's Tutorial Examples - Version 2.03, by Dr. Herong Yang
Windows Automatic Root Update Mechanism
This section describes the automated process used by Windows to communicate to Windows Update Web site to fetch a trusted root certificate and install it on the local computer, whenever the root certificate is needed.
To understand better why IE 10 is automatically reinstall a trusted root certificate on my computer, I did a quick research and found this article "How to get a Root Certificate update for Windows" on Microsoft Web site:
How Windows updates root certificates - Microsoft has introduced new root update mechanisms in different versions of Microsoft Windows. These mechanisms have progressively focused on distributing fewer root certificates, but on making distributions as seamless as possible when a root certificate is required and is distributed through the Windows Root Certificate Program. ...
Windows Vista and Windows 7 - Root certificates on Windows Vista and later versions are distributed through the automatic root update mechanism. That is, they are distributed through the root certificate. When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error.
Now I understand better what happened in my previous tutorial:
On Windows 7, there seems to have no way to turn off the automatic root update mechanism.
But on Windows XP, the automatic root update mechanism is called "Update Root Certificates" component and you can turn it off. See other tutorials in the book for more details.
Last update: 2015.
Table of Contents