受信任的根证书已神奇地安装到Windows [英] Trusted root certificate is magically installed to Windows

问题描述

在某些站点上，证书链无法建立到受信任的根证书，因为Windows未知此受信任的根证书.但是，如果我们使用IE或Chrome浏览器访问此类网站，则Windows会自动在某个位置下载(验证)受信任的根目录，并将其以静默方式安装到受信任的证书颁发机构存储中.之后，我们可以将证书链构建到新安装的根目录.如果我们从Windows存储中手动删除新下载的受信任的根证书，则无法再次构建该链.

On certain sites the certificate chain can not be built up to the trusted root certificate because this trusted root cert is not known to Windows. But if we visit such site using IE or Chrome, Windows automatically downloads (verified) the trusted root somewhere and silently installs it to Trusted Certificate Authorities storage. After this we can build the certificate chain up to the newly installed root. If we manually remove newly downloaded trusted root certificate from Windows storage, the chain can't be built again.

我知道授权信息访问扩展.问题在于，链中最高可用的证书(缺少受信任的根的子级)不包含此类扩展名.即使有，Windows也不会自动信任下载的证书.

I know about Authority Information Access extension. The problem is that the topmost available certificate in the chain (the child of missing trusted root) does NOT have such extension included. And even if it had, Windows would not automatically trust the downloaded certificate.

因此，必须有其他有关受信任根的知识来源.问题是-我们如何才能自己使用该资源.如果有人有兴趣检查，可以在此处获得可用的最高证书.

So there must be some other source of knowledge about trusted roots. The question is - how can we use that source ourselves. The topmost available certificate is available here if anyone is interested in inspecting it.

推荐答案

此链接 http://support.microsoft.com/kb/931125 解释Windows如何在Vista和7中静默更新根证书.

This link http://support.microsoft.com/kb/931125 explains how Windows updates root certificates silently in Vista and 7.

这篇关于受信任的根证书已神奇地安装到Windows的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！