Current location - Quotes Website - Signature design - How to obtain root certificate updates for Windows
How to obtain root certificate updates for Windows

Microsoft has introduced a new root update mechanism in different versions of Microsoft Windows. These mechanisms are increasingly geared toward distributing fewer root certificates and instead making distribution as smooth as possible through the Windows root certificate program that is required to distribute root certificates. To understand the differences in the root update mechanism, it is most convenient to divide Windows versions into two categories:

OS versions that support automatic root updates with separate root certificates

A newer package that relies on an older, optional root element for the operating system version (a package that contains all currently distributed root certificates)

On Windows Client SKUs, Windows Vista or later Automatic root update mechanism is fully supported. It is recommended that versions of Windows earlier than Windows Vista download the optional root update package, which contains all currently distributed root certificates.

Windows Vista and Windows 7

Root certificates on Windows Vista or later are distributed through the automatic root update mechanism. That is, they are distributed through root certificates. When a user enters a secure website (for example, by using HTTPS SSL), reads secure email (S/MIME), or downloads an ActiveX control that is signed (code signed), and then encounters a new root certificate, then Windows Certificate Chain Validation software checks the Microsoft Update root certificate. If the software finds the root certificate, the software downloads the current Certificate Trust List (CTL). The CTL contains a list of all trusted root certificates in the program and verifies the presence of the listed root certificates. It then downloads the specified root certificate to the system and installs the certificate in the Windows Trusted Root Certification Authorities store. If the root certificate is not found, the certificate chain is not completed and the system returns an error.

A successful root update is seamless for the user. Users will not see any security dialog boxes or warnings. The download will take place automatically. Additionally, for Windows Vista or later, client SKUs support weekly prefetching from Microsoft Updates to check for updated root certificate attributes (for example, Extended Validation (EV), code signing, or server authentication attributes, That will be added to the certificate attributes of the root certificate).

Windows XP

Windows XP does not fully support the automatic root update mechanism. When a root certificate already exists on the user's system, it is not updated regardless of whether Microsoft can update the copy of the root certificate that has been changed. Windows XP also does not support the weekly prefetch certificate attributes feature from Microsoft Update, and the only way to install new root certificate attributes on Windows XP is by installing a root update package.

It is recommended that users running Windows XP download and install the root update package to update their root certificates. The root certificate is delivered as an optional root update package – an executable file that contains the Windows Root Certificate program distributed with each root certificate for Windows XP, through Microsoft Update. Windows XP users can select each update and download the package from Microsoft Update. Alternatively, you can select a root update package that is automatically downloaded when updating. Optional root update packages are updated approximately three to four times a year, or quarterly.

Windows Server 2003 and Windows Server 2008, Windows Server 2008 R2

Windows Server 2008 and later, but not Windows Server 2003, the automatic root update mechanism is enabled. Windows Server 2003 only partially supports the automatic root update mechanism. (This is different from support on Windows XP. And the root update package works on Windows XP SKUs only for clients, as it is not targeted on Windows Server SKUs. However, the root update package may download and install Windows Server SKUs, Subject to the following limitations.

If you install the root update package on a Windows server SKU, you may exceed the number of root certificates that Schannel can handle when reporting the root list to the client in a TLX or SSL handshake. limit because the number of root certificates distributed in a root update package may exceed this limit. When root certificates are updated, the trusted CA list grows significantly and may become too long, and the list may then be truncated. Issues with authorization. This behavior may also cause Schannel event ID 36885.

In Windows Server 2003, the publisher list cannot be larger than 0x3000.

If you require a client certificate on the website, or if you are using IAS in Windows Server 2003, the client cannot establish the connection.

Note that these restrictions will apply only if you enable SSL client authentication on the Windows server.

Root update package installation in a disconnected environment

It is recommended that in a disconnected environment (for example, where the automatic root update mechanism does not work because the connection to Microsoft Update is not Systems running Windows client or server SKUs should have the root update package installed. The root update package installs a workaround for Windows Vista and Windows 7 in a disconnected environment. However, we do not recommend installing root update packages on systems that are already connected to Microsoft Update over a network, as the automatic root update mechanism will apply to them.

You can use Group Policy to distribute root certificates to a group of servers in a disconnected environment.

The Windows Vista Crypt32.dll resource file includes a set of trusted third-party root certificates that can be used as a fallback if the connection to Windows Update is unavailable. When an automatic root update is triggered, it attempts to download a trusted third-party root certificate from the web. In an offline environment, network retrieval fails, and CAPI checks the root certificate resource in Crypt32.dll. If root, then use and install in the root store. Similar behavior for Windows 7.

If automatic root updates are disabled, no root retrieval attempts are made. Therefore, the root directory will not be installed. Note that the resources in Crypt32.dll include certificates that have existed at one time in the root operating system release prior to that. Any root certificates added later do not exist in this resource, and such certificates are available only through the root update package.

Related articles
  • 100 simple quotation bookmark
  • A host of Weibo Night embarrassed many stars. Who is he?
  • Couple's head+couple's screen name+couple's signature.
  • What is the electronic authentication password (from Harbin)
  • The headline number was complained, why did I upload my personal data?
  • Ningbo weilun
  • Personality signature girls are simple and temperamental.
  • How much does it cost to change the inventor of a patent? What are the patent change procedures?
  • Life is not easy to understand the sentences of life.
  • Qu Yuan's Poem Quotations on Dragon Boat Festival

    • copyright 2024 Quotes Website All rights reserved