momo zone

调核人的blog

windows 自动证书更新

似乎很多人把CNNIC这样的证书从信任的CA移到不受信的CA,而不是简单的删除该CA。原因是删除后再次遇到该CA及其签发的证书则windows会自动添加并信任该证书。那么自签证书怎么不会被自动添加并信任呢?  微软的说法是遇到陌生CA后会联网验证该CA。不过我没有抓到与之相关的痕迹,我觉得可能和linux的做法差不多,应该系统内还有一份hardcode的CA信息库。

不过运用组策略还是可以阻止任何CA的自动添加:

gpedit.msc -> 计算机配置 -> 管理模板 -> 系统 -> internet通信管理 -> internet通信设置 ,关闭自动根证书更新。

我的意图是维持系统certmgr.msc的信任CA不变,其中的CA已经足够用了,很少遇到陌生CA。

certmgr.msc里面的“受信任的根证书颁发机构”中的证书数量比“第三方根证书颁发机构”多一些,多出来的部分是第一方也就是微软自己的?差不多是,有三个例外,一个verisign的,一个symantec,还有一个thawte timestamping CA。此外certmgr.msc显示的是“证书-当前用户”,还有一个“证书-本地计算机”,通过mmc可以去看,多了几个“逻辑存储名”。此外mmc还能看Service的证书。

sysinteralsSuite中的sighcheck也可以查看上述内容,-t显示“证书-本地计算机”,-tu显示“证书-当前用户”,但有几个逻辑存储名要转换一下:root对应Trusted Root Certification Authority ,My对应personal。

不过这些都不是系统存在的所有证书,咱们慢慢讲。

windows从如下途径获得证书:

本地证书存储(注册表),本地URL缓存(windows update),crypt32.dll

除了本地证书存储,其余都可以存储微软的所有信任的证书,windows信任的根证书颁发机构(ALL CA)可从如下查阅

http://social.technet.microsoft.com/wiki/contents/documents/2592.windows-root-certificate-program-members-list-all-cas.aspx

接下来安装RAST(remote administrate tools) https://www.microsoft.com/en-us/download/details.aspx?id=45520

其实所谓的本地证书存储都是在注册表里:
Microsoft “certutil” command allows you search certificate stores at 5 locations:

1. Local Machine (no option) – This is the default option. Local machine certificate stores are recorded in Windows registry at “HKEY_LOCAL_MACHINE\Software\Microsoft\SystemCertificates”. Predefined certificate store names are: AuthRoot, CA, MY, Root, UserDS, … For example, “certutil -store root” command dumps all certificates from the “Root” certificate store at the local machine location.

2. Current User (“-user” option) – Current user certificate stores are recorded in Windows registry at “HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates”. Predefined certificate store names are: AuthRoot, CA, MY, Root, … For example, “certutil -user -store my” command dumps all certificates from the “MY” certificate store at the current user location.

3. Machine Enterprise (“-enterprise” option) – Machine enterprise certificate stores are recorded in Windows registry at “HKEY_LOCAL_MACHINE\Software\Microsoft\EnterpriseCertificates”. Predefined certificate store names are: AuthRoot, CA, NTAuth, Root, … For example, “certutil -enterprise -store ntauth” command dumps all certificates from the “NTAuth” certificate store at the machine enterprise location.

4. Machine Service (“-service” option) – Machine service certificate stores are recorded in Windows registry at “HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Services \ServiceName\SystemCertificates”. Predefined certificate store names are: MY, CA, Trust, Root, … For example, “certutil -service -store MOM\My” command dumps all certificates from the “MY” certificate store of the “MOM” service at the machine service location.

5. Machine Group Policy (“-grouppolicy” option) – Machine service certificate stores are recorded in Windows registry at “HKEY_LOCAL_MACHINE\Software\Policy\Microsoft\SystemCertificates”. Predefined certificate store names are: AuthRoot, CA, Trust, … For example, “certutil -grouppolicy -store ca” command dumps all certificates from the “CA” certificate store at the machine group policy location.

If you want to see certificate store names defined in Windows registry, you can use the “regedit” command view the registry key of the certificate store location.

上面那些证书都见过了,现在有料的来了

powershell -Command "[IO.File]::WriteAllBytes('authroot-local.stl',(Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate').EncodedCtl)"

生成的stl文件叫做Silent Trusted Root Authority,和windows updates的同步,它里面包含了300多个微软信任的CA证书:
1. 当开启自动证书更新、不能联网且本地存储不存在所需证书时就到stl这里面找。
2. 上述条件,但stl没有找到需要的证书,则从crypt32.dll找buildin证书。
3. 当开启自动证书更新、能联网且本地存储不存在所需证书时就到windows updates去找。
4. 当关闭自动证书更新,则无论能不能联网,证书都只以本地存储为准。

再看crypt32.dll,通过字符串搜索,发现它也是存有那300多个CA证书的。

还有一些与之相关的命令行操作
certutil -verifyCTL AuthRootWU

从URL地址读取信任证书的CAB包。如果指定-f,则忽略URL,从微软的windows update下载。

 

certutil -verifyCTL AuthRoot

从注册表中读取信任证书。增加-f参数和尚未信任的certfile以强制更新注册表缓存的authroot和非信任证书。

 

certutil -verifyCTL DisallowedWU

从URL地址读取非信任证书的CAB包。如果指定-f,则忽略URL,从微软的windows update下载。增加-f参数和尚未信任的certfile以强制更新注册表缓存的authroot和非信任证书。

 

certutil -verifyCTL Disallowed

从注册表中读取非信任证书。

CTL 是 certificate trust lists的缩写。

certutil -SyncWithWU -f \path\to\cert_store

从windows updates下载所有根证书到cert_store目录,其中每个证书单独一个文件,另有authrootstl.cab,disallowedcertstl.cab,pinrulesstl.cab,disallowedcert.sst,pinrules.sst这些已经涵盖了那些单独的证书文件。sst文件可以双击直接在certmgr.msc打开查看。cab解开以后的stl文件可以用certutil -dump 打开查看。

 

然而并没有authroots.sst,没关系,通过下面的命令可以获得

certutil -generateSSTFromWu authroots.sst

Advertisements

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s

%d 博主赞过: