On 26. 11. 2014 4:19, grarpamp wrote: > On Tue, Nov 25, 2014 at 3:08 AM, Martin Rublik <[email protected]> > wrote: >> This might help http://unmitigatedrisk.com/?p=259 also check > > That seems to reference old MS cert distribution models > and cert data stores. And uses cloudflare captcha.
I'm sorry if I provided outdated information. Anyway I think that Microsoft still uses CTLs in order to update the trust store. For the reference see for example https://support.microsoft.com/kb/2677070 or https://technet.microsoft.com/en-us/library/security/2982792.aspx CTLs can be downloaded using any browser on these URLs: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab Unfortunatelly, the CTL does not contain entire certificate only its hash, but using the link provided you can download the certificates. If you have a Windows machine with certutil you can parse and download the CTL with a simple powershell script: certutil -dump .\authroot.stl | findstr "Identifier:" | ForEach-Object -Process { $caCertSKI=$_.split(":")[1].Replace(" ","") $caCertSKI Invoke-WebRequest "http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/$caCertSKI.crt"; -OutFile "$caCertSKI.crt"} Martin
