PKI Tutorials - Herong's Tutorial Examples - v2.32, by Herong Yang
Windows Automatic Root Update Mechanism
This section describes the automated process used by Windows to communicate to Windows Update Website to fetch a trusted root certificate and install it on the local computer, whenever the root certificate is needed.
To understand better why IE is automatically reinstall a trusted root certificate on my computer, I did a quick research and found this article "How to get a Root Certificate update for Windows" on Microsoft Website:
How Windows updates root certificates - Microsoft has introduced new root update mechanisms in different versions of Microsoft Windows. These mechanisms have progressively focused on distributing fewer root certificates, but on making distributions as seamless as possible when a root certificate is required and is distributed through the Windows Root Certificate Program. ...
Windows Vista and Windows 7 - Root certificates on Windows Vista and later versions are distributed through the automatic root update mechanism. That is, they are distributed through the root certificate. When a user goes to a secure website (by using HTTPS SSL), reads a secure email message (S/MIME), or downloads an ActiveX control that is signed (code signing), and then encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains the list of all trusted root certificates in the program and verifies that the root certificate is listed there. Then, it downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error.
Now I understand better what happened in my previous tutorial:
On Windows 7, there seems to have no way to turn off the automatic root update mechanism.
But on Windows XP, the automatic root update mechanism is called "Update Root Certificates" component and you can turn it off. See other tutorials in the book for more details.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
►HTTPS with IE (Internet Explorer)
Visiting "https" Website with IE
Viewing Server Certificate Details in IE
Viewing Server Certificate Path in IE
Installing Server Certificate Permanently in IE
Viewing Certificates in Certificate Stores in IE
Listing of Trusted Root CA in IE
Exporting Certificate to File from IE
Saving Server Certificate to File with IE
IE Supporting Multiple Certificate Paths
IE Reinstalling Root Certificates Automatically
►Windows Automatic Root Update Mechanism
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3