Microsoft Root Certificate Bundle, where?

[martin.rublik@gmail.com (Martin Rublik)]

On 26. 11. 2014 4:19, grarpamp wrote:
> On Tue, Nov 25, 2014 at 3:08 AM, Martin Rublik <martin.rublik@gmail.com> wrote:
>> This might help http://unmitigatedrisk.com/?p=259 also check
> 
> That seems to reference old MS cert distribution models
> and cert data stores. And uses cloudflare captcha.

I'm sorry if I provided outdated information. Anyway I think that Microsoft
still uses CTLs in order to update the trust store. For the reference see for
example https://support.microsoft.com/kb/2677070 or
https://technet.microsoft.com/en-us/library/security/2982792.aspx

CTLs can be downloaded using any browser on these URLs:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Unfortunatelly, the CTL does not contain entire certificate only its hash, but
using the link provided you can download the certificates.

If you have a Windows machine with certutil you can parse and download the CTL
with a simple powershell script:

certutil -dump .\authroot.stl | findstr "Identifier:" | ForEach-Object -Process {
	$caCertSKI=$_.split(":")[1].Replace(" ","")
	$caCertSKI
	Invoke-WebRequest
"http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/$caCertSKI.crt";
-OutFile "$caCertSKI.crt"}



Martin