As you may know a DigiNotar CAs was compromised due of some reasons (one, two). Microsoft have decided to break DigiNotar CAs trust at all — http://support.microsoft.com/kb/2607712. Trust breaking is performed as follows:
- DigiNotar CA certificates are removed from Windows Update;
- DigiNotar CA certificates are removed from crypt32.dll on Windows Vista+;
- DigiNotar CA certificates are moved from Trusted Root CAs container to Untrusted Certificates.
Who is the next? Comodo? However the discussion is not about DigiNotar and Comodo (obviously, yes?)
One customer from TechNet forums asked, why mentioned update updates crypt32.dll on Windows XP/Windows Server 2003? Really why? The short answer is here: Certificate Chaining Engine (CCE). However I have noted that certificates in crypt32.dll are updated only on Windows Vista+ (and newer). Windows XP and Windows Server 2003 don't contains predefined certificates in crypt32.dll. Very interesting question. I have addressed this question to Windows PKI team and got an answer. The reason is that systems prior to Windows Vista can contain only end entity certificates in the Untrusted Certificates container. CA certificates are not handled by this container. This means that if you move a CA certificate to this container nothing happens. And this update (see above) changes Untrusted Certificates behavior to handle CA certificates in the store. This allows you to revoke even Root CA certificates by moving them from Trusted Root CAs container to Untrusted Certificates container. Or you can publish a CA certificate to Untrusted Certificates to explicitly break a trust to specified certificate. Even if it is already placed in the Trusted Root CAs container, because Untrusted Certificates has higher precedence over Trusted Root CAs. This behavior was already implemented in Windows Vista+ systems.
Offtopic: do you want a EV certificate and greenred bar in web browser? DigiNotar still sells EV certificates — http://www.diginotar.com/Products/ExtendedValidationSSL/tabid/622/Default.aspx for €975 per 2 years :) don't miss a chance ;)
I just came along your site. I was looking for informations about programming certificates with powershell to replace makecert.exe. I'm deeply impressed about your knowledge with certificates. Congratulations. Couldn't you write a book about programming certificates using .net and powershell? Especially troubleshooting certificate issues with powershell? Are there any current books available on the market you could recommand? Keep up the great work!
Thanks for the comment! Currently I have no plans to write books and I'm not aware about any existing books on the market. But you can learn some my stuff here and in russian blog (consider to use online translator to read text): http://www.sysadmins.lv/CategoryView,category,PowerShellCertificateAuthority.aspx http://www.sysadmins.lv/CategoryView,category,PowerShellCertificates.aspx http://www.sysadmins.lv/CategoryView,category,PowerShellCryptoAPI.aspx yes, there you can find some scripts that replace makecert.exe functionality.
Post your comment:
Comments: