- Newest
- Most votes
- Most comments
Hello.
I think it is usually updated by something called "Microsoft Trusted Root Certificate Program".
Therefore, the certificate is distributed by Windows Update.
https://learn.microsoft.com/en-us/security/trusted-root/release-notes
(Not the best form to self-answer, but after digging we found out we simply didn't know how the Windows certificate trust store operates.)
Definition: root / CA certificates may be referred to as trusted roots and packaged in Certificate Trust List (CTLs) by Microsoft.
Windows downloads most⁽¹⁾ CAs at runtime on the fly / on-demand, when a compatible Windows library⁽²⁾ starts any TLS session: during the TLS handshake, if the certificate chain is not trusted based on the current local trusted roots, Windows downloads the matching root certificate from CTLs on Windows Update servers – ctldl.windowsupdate.com in this case. CTLs that are indeed from the Microsoft Trusted Root Program (updated lists).
_
It turns out the Windows application mentioned in the question does not use the Windows APIs⁽²⁾ that auto-downloads missing CAs such as the Starfield Services Root Certificate Authority - G2 in this case. Definitely an application bug.
Again, most browsers are unlikely to be affected as they all use their own trust stores now (including Edge), so their behaviour on Windows won't match desktop applications.
_
References: I have not been able to find official sources clearly detailing the whole mechanism, or which Windows libraries / APIs must be used to trigger it⁽²⁾. But clearly, the trust store is not periodically updated by the Windows Update client/feature. Clues:
- The description of the Windows registry key
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\SystemCertificates\AuthRoot → DisableRootAutoUpdatealludes to it: "when you are presented with a certificate issued by an untrusted root authority, your computer will [not] contact the Windows Update website to see if Microsoft has added the CA to its list of trusted authorities." This is the most official reference I've found describing it done on the fly. - learn.microsoft.com / Windows Server / Certificates and trust in Windows details the servers used and certificates origin. It also note that "Windows Server features automatic daily update functionality that includes downloads of latest CTLs." I cannot confirm if this feature actually exists on servers, but I'd strongly suggest it doesn't on Windows desktops.
- Searching for the registry key yields many third-parties describing this behaviour, such as https://support.sophos.com/support/s/article/KBA-000008163
____________
- ⁽¹⁾ I presume Windows installs and updates some key CAs allowing it to trust their own servers e.g. to download missing CAs and do updates.
- ⁽²⁾ I didn't search for the exact library calls that must be used, I am not a C/++/# programmer. "winhttp" is allegedly okay, and someone mentioned "the Microsoft s_client crypto library" on Reddit.
curl.exealso seems to do it.
Relevant content
- asked 2 years ago
- asked 2 years ago
- AWS OFFICIALUpdated 4 years ago
Hi Riku, Indeed! And all the certificates at play are listed on the Microsoft "included" list: https://ccadb.my.salesforce-sites.com/microsoft/IncludedCACertificateReportForMSFT With those deployed by Windows Update, it's surprising to hear about Windows machines missing it. Many of our affected users triggered Windows Update today and it fixed the issue for them.
On the other hand, the "Amazon Root CA 1"/2/3/4 CAs are also in that Microsoft "included" list but I have yet to see a machine with them installed.
I also verified that my PC does not contain any certificates. I'm guessing that "Starfield Services Root Certificate Authority - G2" is probably included, and because of this, it is determined that "Amazon Root CA 1" is unnecessary.
I think the explanation in the following part of the document you are looking at is relevant. https://aws.amazon.com/jp/blogs/security/acm-will-no-longer-cross-sign-certificates-with-starfield-class-2-starting-august-2024/