2

Question: How to get Windows to detect a Certificate as appropriate for installation in the "Trusted Root Certificate Authorities"?

Background: I am building an internal site and would like the users to be able to download the server's root certificate and install it in their Windows Certificate Trust Store as a "Trusted root certificate authority". When a user opens the certificate file, they arrive at the regular Certificate inspection screen.

enter image description here

The user can then click "Install Certificate" and then choose to "Automatically select the certificate store based on the type of certificate".

Inevitably, choosing this option installs the certificate into "Intermediate Certification Authorities" instead of "Trusted Root Certification Authorities"

enter image description here

The Root Certificate is generated in OpenSSL as a self-signed Root Certificate. openssl x509 reports:

    X509v3 extensions:
        X509v3 Basic Constraints: critical
            CA:TRUE, pathlen:1

I wouldn't be surprised if Windows prohibited certificates to be installed as a Trusted Root Certificate Authority in this automatic manner for security reasons, but I simply can't find any documentation on the Microsoft or MSDN sites that explains how their "automatic selection" works. Any clarification would be appreciated.

ChaimKut
  • 2,759
  • 3
  • 38
  • 64

1 Answers1

2

I wouldn't be surprised if Windows prohibited certificates to be installed as a Trusted Root Certificate Authority in this automatic manner for security reasons, but I simply can't find any documentation on the Microsoft or MSDN sites that explains how their "automatic selection" works.

you have encountered exact issue. Microsoft do not allow users to auotmatically install CA certificates in the Trusted Root CAs store. You should instruct users to install this certificate in the appropriate store.

p.s. I completely dislike the way how you distribute your root certificates. How users know that it is your certificate? How they know that you won't try to impersonate any other web site? The whole idea looks bad. If there are many clients, then I would recommend to purchase cheapest SSL certificate from commercial provider.

Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • Thanks for your helpful answer. Do you have a source to back up your first statement? – Maximilian Hils Apr 28 '16 at 22:13
  • 1
    Unfortunately, I'm not sure if it is documented. At least, I never seen such reference. I just know how it works from my experience and this behavior seems obvious for me. – Crypt32 Apr 29 '16 at 06:35