[Twisted-Python] Updating wincertstore for SSL certificates

Fri Nov 20 01:52:51 MST 2015

I am posting here because my update on the wiki got rejected as spam.

If I can get that fixed I will repost it to the wiki.

Anyway here is what I wanted to post.

Regards

John Aherne

Some additional information regarding wincertstore.

My reading of the runes relating to automatic and dynamic updates is as
follows:

In an organisation with a sysadmin, dynamic updates will be turned off and
an internal mechanism will be in place to update clients.

Dynamic updates represents too much of a security risk.

There is also an option from Microsoft on a daily basis to automatically
update the certificate store

So sysadmins can either arrange to have the daily update occur or have it
downloaded to a central system under their control where they distribute
the update plus any other certificates they need to add for company use.

In smaller organisations no doubt the automatic update will be left in
place.

It would seem that the dynamic update is part of windows os and the
application is not involved in the process. The verification either
succeeds or fails.

As an example see this link that contains this info:--

http://dreamlayers.blogspot.co.uk/2009/12/windows-7-cant-always-automatically.html

<<Today Secunia PSI refused to run with the message: "an error occurred
while verifying the security certificate". Then I found that IE refused
o show https://secunia.com because the certificate was "not issued by a
trusted certificate authority".

Firefox did not have a problem with that webpage.

For some reason, IE did not recognize the "Thawte Server CA" certificate.
IE also refused to recognize StartSSL.

This was really weird, because as far as I know, Windows 7 is supposed to
automatically update root certificates.

Microsoft even explains how the process works in Vista. My first thought
was that my firewall was blocking the update, but that was not it.

Event log showed event 4100 from CAPI2, which is "Successful auto update
retrieval of third-party root certificate".

The problem was event 4110: "Failed to add certificate to Third-Party Root
Certification Authorities store with error:

A certificate chain could not be built to a trusted root authority."

I manually downloaded and installed the latest root certificate update from
Windows Update.

After that, everything works. I'm just left wondering why I had to deal
with this in the first place.

A later comment says:

I think this may be because Cryptographic Services (CryptSvc) was unable to
access the Internet because of the firewall.

Its description says that it includes the "Automatic Root Certificate
Update Service, which retrieves root certificates from Windows Update".

There are CAPI2 events relating to downloading and unpacking a root
certificates .CAB file, and those do not appear in my event log.>>

So windows cryptographic services does the dynamic check for certificate
verification.

However, you can always download the latest certificate store and update it
yourself.

This strikes me as similar to using the firefox download as happens on many
linux systems and how the requests library works.

I did a simple test to see if the dynamic update works on my win7 system.

I used certmgr.msc to delete the GoDaddy root certificate.

I then opened a browser to the godaddy site to see what would happen.

In some side bar I saw a link that said the cert was failing but the main
site site connected without problems.

When I checked the certificate store there was still no godaddy root
certificate. So what was happening?

I then downloaded the update and updated my store. I ended up with about
200 entries. More than before but since I did not make a note I can't
really be sure if I got more than when I started.

I just need to run some more tests to see how this dynamic update is
supposed to work.

Manually updating the certificate store

The link to manually update the certifcate store is below:

To Manually install the certificates

1. Download
http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe

2. Extract the files using the command rootsupd.exe /c /t:C:\temp\extroot

3. from c:\temp\extroot run the following 4 commands (from an elevated
prompt)

updroots.exe authroots.sst

updroots.exe updroots.sst

updroots.exe -l roots.sst

updroots.exe -d delroots.sst

Here is an extract from microsoft technet explaining how the automatic
update works.

https://technet.microsoft.com/en-us/library/cc749331(WS.10).aspx

<<The Update Root Certificates feature in Windows Vista is designed to
automatically check the list
of trusted authorities on the Windows Update Web site when this check is
needed by a user's application.
Specifically, if the application is presented with a certificate issued by
a certification authority in
a PKI that is not directly trusted, the Update Root Certificates feature
(if it is not turned off)
will contact the Windows Update Web site to see if Microsoft has added the
certificate of the root CA
to its list of trusted root certificates. If the CA has been added to the
Microsoft list of trusted authorities,
its certificate will automatically be added to the set of trusted root
certificates on the user's computer.
The Update Root Certificates feature can be turned off in Windows Vista by
using Group Policy.

For more information, see "Procedures for Viewing or Changing Group Policy
Settings that Affect
Certificates in Windows Vista," later in this section.>>

Below is a link to a mozilla forum where the sysadmins have been
complaining over the past 7 years that firefox will not support
wincertstore so it can be integrated into their control systems.

As a result they drop firefox and only support chrome and IE.

https://bugzilla.mozilla.org/show_bug.cgi?id=432802

-- 
*John Aherne*

*www.rocs.co.uk <http://www.rocs.co.uk>*
020 7223 7567
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://twistedmatrix.com/pipermail/twisted-python/attachments/20151120/6527db13/attachment.html>