Reputation: 2809
Windows detect certificate as Root Certificate Authority
Question: How to get Windows to detect a Certificate as appropriate for installation in the "Trusted Root Certificate Authorities"?
Background: I am building an internal site and would like the users to be able to download the server's root certificate and install it in their Windows Certificate Trust Store as a "Trusted root certificate authority". When a user opens the certificate file, they arrive at the regular Certificate inspection screen.
The user can then click "Install Certificate" and then choose to "Automatically select the certificate store based on the type of certificate".
Inevitably, choosing this option installs the certificate into "Intermediate Certification Authorities" instead of "Trusted Root Certification Authorities"
The Root Certificate is generated in OpenSSL as a self-signed Root Certificate. openssl x509 reports:
X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:1
I wouldn't be surprised if Windows prohibited certificates to be installed as a Trusted Root Certificate Authority in this automatic manner for security reasons, but I simply can't find any documentation on the Microsoft or MSDN sites that explains how their "automatic selection" works. Any clarification would be appreciated.
Upvotes: 2
Views: 1199
Answers (1)
Reputation: 13954
I wouldn't be surprised if Windows prohibited certificates to be installed as a Trusted Root Certificate Authority in this automatic manner for security reasons, but I simply can't find any documentation on the Microsoft or MSDN sites that explains how their "automatic selection" works.
you have encountered exact issue. Microsoft do not allow users to auotmatically install CA certificates in the Trusted Root CAs store. You should instruct users to install this certificate in the appropriate store.
p.s. I completely dislike the way how you distribute your root certificates. How users know that it is your certificate? How they know that you won't try to impersonate any other web site? The whole idea looks bad. If there are many clients, then I would recommend to purchase cheapest SSL certificate from commercial provider.
Upvotes: 2
Related Questions
- How to verify X509 cert without importing root cert?
- Trusted root certificate is magically installed to Windows
- Import Certificate to Trusted Root but not to Personal [Command Line]
- Which X509 StoreName refers to the certificates stored beneath Trusted Root Certification Authorities in Windows10
- Windows CRYPT32 CertFreeCertificateChainEngine removes user certificate from trusted root authority
- Install self-signed certificate as a Trusted Root on Windows XP
- Trusted Root Certificate Automatically disappear on client SSL connection
- Why is my certificate not valid unless I put the Sub CA certificate in the trusted root certificate authorities?
- Adding certificate to trusted root authority
- Clearly recognize a certificate in Windows certificate store