Certificate Support and the Update Root Certificates Component

(Note: This topic describes not just Windows XP Professional with Service Pack 2, but also Windows XP Professional with Service Pack 3.)

On This Page

Benefits and Purposes of Certificate Functionality
Overview: Using Certificate Components in a Managed Environment
How Update Root Certificates Communicates with Sites on the Internet
Controlling the Update Root Certificates Component to Prevent the Flow of Information to and from the Internet
Procedures for Preventing Root Certificates from Being Updated on an Individual Computer

Benefits and Purposes of Certificate Functionality

Certificates, and the public key infrastructure of which they are a part, support authentication and encrypted exchange of information on open networks, such as the Internet, extranets, and intranets. A certificate securely binds a public key to the entity that holds the corresponding private key. With certificates, host computers on the Internet no longer have to maintain a set of passwords for individual subjects who need to be authenticated as a prerequisite to access. Instead, the host merely establishes trust in a certification authority that certifies individuals and resources that hold private keys. The host can establish this trust through a certificate hierarchy that is ultimately based on a root certificate, that is, a certificate from a certification authority that establishes a well-defined level of integrity and security for the hierarchy.

Examples of times that a certificate is used are when a user:

  • Uses a browser to engage in a Secure Sockets Layer (SSL) session

  • Accepts a certificate as part of installing software

  • Accepts a certificate when receiving an encrypted or digitally signed e-mail message

When learning about public key infrastructure, it is important to learn not only about how certificates are issued, but about how certificates are revoked and how information about those revocations is made available to clients. This is because certificate revocation information is crucial for a user’s application that is seeking to verify that a particular certificate is currently (not just formerly) considered trustworthy. Certificate revocation information is often stored in the form of a certificate revocation list, although this is not the only form it can take. Applications that have been presented with a certificate might contact a site on an intranet or the Internet not only for information about certification authorities, but also for certificate revocation information.

In an organization where clients run Microsoft Windows XP Professional and servers run Windows Server 2003, you have a variety of options in the way certificates and certification revocation lists (or other forms of certificate revocation information) are handled. For more information about these options, see the references listed in the next subsection, "Overview: Using Certificate Components in a Managed Environment."

The Update Root Certificates component in Windows XP with SP2 is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site when this check is needed by a user’s application. Specifically, if the application is presented with a certificate issued by a certification authority that is not directly trusted, the Update Root Certificates component (if present) will contact the Microsoft Windows Update Web site to see if Microsoft has added the certification authority to its list of trusted authorities. If the certification authority has been added to the Microsoft list of trusted authorities, its certificate will automatically be added to the trusted certificate store on the user’s computer. Note that the Update Root Certificates component is optional with Windows XP with SP2—that is, it can be removed or excluded from installation on a computer running Windows XP with SP2.

Overview: Using Certificate Components in a Managed Environment

In an organization where clients run Windows XP Professional and servers run Windows Server 2003, you have a variety of options in the way certificates are handled. For example, you can establish a trusted root authority, also known as a root certification authority inside your organization. The first step in establishing a trusted root authority is to install the Certificate Services component. Another step that might be appropriate is to configure the publication of certificate revocation information to the Active Directory® directory service. When implementing public key infrastructure, we recommend that you also learn about Group Policy as it applies to certificates. Procedures for these steps are provided in the resources listed at the end of this subsection.

When you configure a certification authority inside your organization, the certificates it issues can specify a location of your choosing for retrieval of additional evidence for validation. That location can be a Web server or a directory within your organization. Because it is beyond the scope of this white paper to provide full details about working with certification authorities, root certificates, certificate revocation, and other aspects of public key infrastructure, this section provides a list of conceptual information and a list of resources to help you learn about certificates.

Some of the concepts to study when learning about certificates include:

  • Certificates and the X.509 V3 standard (the most widely used standard for defining digital certificates) as well as the public key infrastructure for X.509 (PKIX). PKIX is described in RFC 3280, which you can search for on the Internet Engineering Task Force (IETF) Web site at:

    http://www.ietf.org/rfc.html

    You can also learn about PKIX on the Internet Engineering Task Force (IETF) Web site at:

    https://go.microsoft.com/fwlink/?LinkId=29924

  • Standard protocols that relate to certificates, for example, Transport Layer Security (TLS), Secure Sockets Layer (SSL), and Secure Multipurpose Internet Mail Extensions (S/MIME).

  • Encryption keys and how they are generated.

  • Certification authorities, including the concept of a certification authority hierarchy and the concept of an offline root certification authority.

  • Certificate revocation.

  • Ways that Active Directory and Group Policy can work with certificates.

The following list of resources can help you as you plan or modify your implementation of certificates and public key infrastructure:

In a medium-size to large organization, for the greatest control of communication with the Internet, it is recommended that you manage the list of certification authorities yourself, meaning that on users’ computers, you would control or remove the Update Root Certificates component or prevent it from being installed with Windows XP with SP2.

How Update Root Certificates Communicates with Sites on the Internet

This subsection focuses on how the Update Root Certificates component communicates with sites on the Internet. The previous subsection, "Overview: Using Certificate Components in a Managed Environment" provides references for the configuration choices that control the way other certificate components communicate with sites on the Internet.

If the Update Root Certificates component is installed on a user’s computer and has not been disabled through Group Policy, and the user’s application is presented with a certificate issued by a root certification authority that is not directly trusted, the Update Root Certificates component communicates across the Internet as follows:

  • Specific information sent or received: Update Root Certificates sends a request to the Windows Update Web site, asking for the current list of root certification authorities in the Microsoft Root Certificate Program. If the untrusted certificate is named in the list, Update Root Certificates obtains that certificate from Windows Update and places it in the trusted certificate store on the user’s computer. No user authentication or unique user identification is used in this exchange.

    The Windows Update Web site is located at:

    https://windowsupdate.microsoft.com/

  • Default setting and ability to disable: Update Root Certificates is installed by default in Windows XP with SP2. You can disable this component with Group Policy, or you can remove it or exclude it from installation on users’ computers.

  • Trigger and user notification: Update Root Certificates is triggered when the user is presented with a certificate issued by a root certification authority that is not directly trusted. There is no user notification.

  • Logging: Events containing information such as the following will be logged:

    For Event ID 7:

Description: Successful auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site

**For Event ID 8**:

<pre IsFakePre="true" xmlns="http://www.w3.org/1999/xhtml">

Description: Failed auto update retrieval of third-party root list sequence number from: URL_for_Windows_Update_Web_Site  with error: hexadecimal_error_value

  • Encryption, privacy, and storage: When requests or certificates are sent to or from Update Root Certificates, no encryption is used. Microsoft does not track access to the list of trusted authorities that it maintains on the Microsoft Windows Update Web site.

  • Transmission protocol and port: The transmission protocol is HTTP and the port is 80.

Controlling the Update Root Certificates Component to Prevent the Flow of Information to and from the Internet

If you want to prevent the Update Root Certificates component in Windows XP with SP2 from communicating automatically with the Microsoft Windows Update Web site, you can disable this component with Group Policy, or you can remove it or exclude it from installation on users’ computers. You can exclude the component during workstation deployment by using standard methods for unattended installation or remote installation, as described in Appendix A, "Resources for Learning About Automated Installation and Deployment.” If you are using an answer file, the entry is as follows:

[Components]
Rootautoupdate = Off

For information about how to disable Update Root Certificates through Group Policy, see “To Disable the Update Root Certificates Component by Using Group Policy,” later in this section.

How Disabling, Removing, or Excluding Update Root Certificates from Users’ Computers Can Affect Users and Applications

If the user is presented with a certificate issued by a root certification authority that is not directly trusted, and the Update Root Certificates component is not installed on the user’s computer, the user will be prevented from completing the action that required authentication. For example, the user might be prevented from installing software, viewing an encrypted or digitally signed e-mail message, or using a browser to engage in an SSL session.

Procedures for Preventing Root Certificates from Being Updated on an Individual Computer

The following procedures describe:

  • How to use Group Policy to disable the Update Root Certificates component on users’ computers.

  • How to use Control Panel to remove the Update Root Certificates component from an individual computer running Windows XP with SP2.

  • How to exclude the Update Root Certificates component during unattended installation of Windows XP with SP2 by using an answer file.

To Disable the Update Root Certificates Component by Using Group Policy

  1. See Appendix B, "Learning About Group Policy and Updating Administrative Templates,” for information about using Group Policy. Ensure that your Administrative templates have been updated, and then edit an appropriate GPO.

  2. Click Computer Configuration, click Administrative Templates, click System, click Internet Communication Management, and then click Internet Communication settings.

  3. In the details pane, double-click Turn off Automatic Root Certificates Update, and then click Enabled.

    Important   You can also restrict Internet access for this and a number of other components by applying the Restrict Internet communication policy setting, which is located in Computer Configuration/Administrative Templates/System/Internet Communication Management. For more information about this Group Policy and the policies that it controls, see Appendix C, "Group Policy Settings Listed Under the Internet Communication Management Key."

To Remove the Update Root Certificates Component from an Individual Computer Running Windows XP with SP2

  1. Click Start, and then either click Control Panel, or point to Settings and then click Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components (on the left).

  4. Scroll down the list of components to Update Root Certificates, and make sure the check box for that component is cleared.

  5. Follow the instructions to complete the Windows Components Wizard.

To Exclude the Update Root Certificates Component During Unattended Installation by Using an Answer File

  1. Using the methods you prefer for unattended installation or remote installation, create an answer file. For more information about unattended and remote installation, see Appendix A, "Resources for Learning About Automated Installation and Deployment."

  2. In the [Components] section of the answer file, include the following entry:

    Rootautoupdate = Off