已安装时间戳证书，什么是安装证书？ [英] Time-Stamp Certificates are Installed, What is Installing them?

问题描述

我目前正在开发一个脚本程序，该程序通过对某些事物进行快照来跟踪操作系统中的更改。其中之一是证书。目的是查看已安装程序对系统所做的更改。当前的问题是，我一直看到添加的证书没有被程序添加，而Windows被添加。我的目标是防止Windows在测试期间下载证书。通过使用以下命令安装全新的Trust Root Authority证书存储：

I am currently working on a scripted program which tracks changes in the operating system by taking snapshots of certain things. One of these are the certificates. The goal being to see what changes an installed program makes to the system. The current issue is that I keep seeing certificates being added that the program did not add, Windows did. My goal was to prevent Windows from downloading certificates during the test. By installing a brand new Trust Root Authority certificates store using the commands:

CertUtil -GenerateSSTFromWU <filename>

之后：

updroots.exe <filename>

问题在于，安装新商店后，虽然我看到添加的证书减少了，但我继续查看添加到CurrentUser / CA存储中的多个时间戳证书。我希望有人知道我们来自这些证书，以及如何预先安装它们，以便它们不会在测试中出现。谢谢您的建议。

The issue is that after installing this new store, while I do see fewer certificates being added, I continue to see a number of time-stamp certificates being added to the CurrentUser/CA store. I was hoping someone knew where these certificates we coming from and how I could perhaps pre-install them so they do not appear during the test. Thank you for your advice.

编辑：

证书示例包括

Examples of certificates include,

Microsoft时间戳PCA 2010

Microsoft代码签名PCA 2010

Microsoft时间戳PCA

GlobalSign时间戳CA-G2

Microsoft代码签名PCA

Microsoft Time-Stamp PCA 2010
Microsoft Code Signing PCA 2010
Microsoft Time-Stamp PCA
GlobalSign Timestamping CA - G2
Microsoft Code Signing PCA

编辑2.0：

环顾四周，我曾提到它在当前用户/ CA存储中安装了证书。对应于certmgr中的中间证书颁发机构存储。我相信AuthRootAutoUpdate适用于受信任的根证书颁发机构存储。我现在正在研究的问题，是否有单独的服务负责更新中间证书颁发机构？

Edit 2.0:
Was looking around, I had mentioned that it installed the certificates in the Current User/CA store, which appears to correspond to the Intermediate Certificate Authorities store in certmgr. I believe that AuthRootAutoUpdate applies to the Trusted Root Certificate Authorities store. The question I am looking into now, is there a separate service responsible for updating Intermediate Certificate Authorities?

推荐答案

Windows尝试获取证书来自ctldl.windowsupdate.com。首先，它尝试获取以下文件：

Windows try to get certificates from ctldl.windowsupdate.com. Firstly it try to get following files:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

然后如果需要根证书来检查文件夹中证书的身份，则可以获取根证书：

And then it can take root certificates if it needs them to check identity of certificates from folder:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/

这篇关于已安装时间戳证书，什么是安装证书？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！