Archived: Windows XP Component "Update Root Certificates"
This section describes the process used by Windows XP component, Update Root Certificates, to communicate to Windows Update Website to fetch a trusted root certificate and install in on the local computer automatically.
To understand better why IE 8 is automatically reinstall a trusted root certificate on my computer,
I did a quick research and found this article
"Certificate Support and the Update Root Certificates Component" on Microsoft Website:
Using Microsoft Windows XP Professional with Service Pack 1 in a Managed Environment: Controlling Communication with the Internet
- Certificate Support and the Update Root Certificates Component
- Published: December 27, 2004
How Update Root Certificates Communicates with Sites on the Internet
This subsection focuses on how the Update Root Certificates component communicates with sites on the Internet. The previous subsection, "Overview: Using Certificate Components in a Managed Environment" provides references for the configuration choices that control the way other certificate components communicate with sites on the Internet.
If the Update Root Certificates component is installed on a user's computer, and the user's application is presented with a certificate issued by a root certification authority that is not directly trusted, the Update Root Certificates component communicates across the Internet as follows:
Specific information sent or received: Update Root Certificates sends
a request to the Windows Update Website, asking for the current
list of root certification authorities in the Microsoft Root
Certificate Program. If the untrusted certificate is named in the list,
Update Root Certificates obtains that certificate from Windows
Update and places it in the trusted certificate store on the user's computer. No user authentication or unique user identification is used in this exchange.
Default setting and ability to disable: Update Root Certificates is installed by default in Windows XP with SP1. You can remove or exclude
this component from installation on users' computers.
Trigger and user notification: Update Root Certificates is triggered when the user is presented with a certificate issued by a root certification authority that is not directly trusted. There is no user notification.
Now I understand better what happened when visiting a secured Website using IE 8 and
the root certificate for that Website is not installed on my Windows XP system:
- IE 8 reached out https://login.yahoo.com for server certificate.
- IE 8 received "login.yahoo.com" certificate.
- IE 8 could not find the root certificate to validate "login.yahoo.com" certificate.
- IE 8 turned to Windows XP "Update Root Certificates" component for help.
- "Update Root Certificates" contacted "http://windowsupdate.microsoft.com/".
- "Update Root Certificates" fetched the root certificate.
- "Update Root Certificates" installed the root certificate on the local computer.
- "Update Root Certificates" returned the control back to IE 8.
- IE 8 validated "login.yahoo.com" certificate with the newly installed root certificate.
Table of Contents
About This Book
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with Microsoft Edge
Using HTTPS with Apple Safari
HTTPS with IE (Internet Explorer)
Android and Server Certificate
iPhone and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
Java Programs Communicating with HTTPS Servers
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3
S/MIME and Email Security
PKI (Public Key Infrastructure) Terminology
Archived: Viewing Server Certificate in Chrome 40
Archived: Viewing Server Certificate in Firefox 35
Archived: Viewing Pre-Installed Certificates in Firefox 35
Archived: Firefox 35 Displaying Certificate Error Page
Archived: Adding Security Exception in Firefox 35
►Archived: Windows XP Component "Update Root Certificates"
Archived: Creating Certificates Console on Windows XP
Archived: Applying Digital Signatures with Word 2007
Archived: Creating a Digital ID and Sign Word Documents
Archived: Viewing Digital ID Created by MS Word
Archived: Obtaining a Trial Digital ID from ARX CoSign
Archived: Viewing Digital ID Obtained from ARX CoSign
Archived: Windows XP Component - Removing "Update Root Certificates"
Archived: IE 8 Displaying Certificate Error Page
Archived: IE 8 Displaying Certificate Error Icon
Archived: Viewing Certificate Path Validation Error in IE 8
Archived: Importing Root Certificate from a File to IE 8
Full Version in PDF/EPUB