Page 1 of 1

Download and install Root CAs

PostPosted: 26.03.2019, 19:59
by Dalai
Hi there. I have another feature request :).

Inspired by this thread viewtopic.php?f=6&t=9006 (and as suggested in older threads [1] and [2]) I suggest to add a feature to download and install MS Root CAs before any update or feature is installed on the clients. Missing root certificates prevent the installation of certain updates and software like .NET Framework when a client system is completely offline :!: Some Windows Update prerequisite updates might contain the MS Root CAs (like the new ones for w61), but others might not. That's why I think adding certificates is the better and more flexible way.

I'm not sure whether or not MS would complain when WOU shipped the certificates, but to make sure they don't I suggest to download them instead. This should be easy to implement as well. The certificates' download URLs can be found in the MS PKI repository. Downloading can be done the usual way (wget, aria2). The import on the clients can be done via certutil.exe, like this:
Code: Select all
for /F %%F IN ('dir /b wsusoffline\client\certs\*.crt') DO (
    %SystemRoot%\system32\certutil.exe -addstore Root "%%~F"
)
It might not be the best way to add certificates this way because all certs are added to the Root certificate store; this may open holes to the system's security (and even add unwanted certs). Using a (static) text file that contains the certificate names and the corresponding certificate store can prevent that:
Code: Select all
for /F "tokens=1,2 delims=," %%F IN (wsusoffline\certs\list.txt) DO (
    if exist "wsusoffline\certs\%%~F" %SystemRoot%\system32\certutil.exe -addstore %%G "wsusoffline\client\certs\%%~F"
)
with the text file looking like this:
Code: Select all
MicRooCerAut2011_2011_03_22.crt,Root
MicRooCerAut_2010-06-23.crt,Root
somecert.crt,AuthRoot
someothercert.crt,TrustedPeople


_____

The mechanism could even be expanded to download the current certificates which would then be independent from the URLs in MS's PKI repo, but could also add unwanted certificates to the store, depending on the implementation. Different ways to download and install the certificates can be found in the article Updating List of Trusted Root Certificates in Windows 10 / 7. The download would be done by certutil.exe or wget/aria2, depending on the method.

Regards
Dalai

Re: Download and install Root CAs

PostPosted: 27.03.2019, 04:39
by rbronca
If you head down that path adding the MS Root CA's, then make sure you also add the revocation list as well.
Given their criticality in patching, ideally the wsusoffline patching process should download the latest versions when checking for updates.
To mitigate any concerns others may have, a checkbox similar, or even replacing the "update Silverlight" one could be provisioned, allowing the choice to deploy these certificates or not.
Does anyone still care about Silverlight?

Re: Download and install Root CAs

PostPosted: 27.03.2019, 08:57
by aker
Could we then also implement the TimeStamp-CAs?

Re: Download and install Root CAs

PostPosted: 27.03.2019, 17:27
by Dalai
Although I only mentioned the MS Root CAs, I implied that CRLs and the Timestamp CAs and similar certs would be downloaded and installed the same way. But I think you can agree that the MS Root CAs are the most important ones.

rbronca wrote:To mitigate any concerns others may have, a checkbox similar, or even replacing the "update Silverlight" one could be provisioned, allowing the choice to deploy these certificates or not.

Yes, and no. With a simple checkbox one can only decide if the certs are installed or not - all or none of them. Hence my suggestion with the text file, so users are able to decide which certs they want or don't want. Anyway, it's not my call to decide whether or not such text file makes sense ;).

Regards
Dalai

Re: Download and install Root CAs

PostPosted: 10.05.2019, 21:21
by WSUSUpdateAdmin
Sorry, missed this topic/thread and will work on it, hopefully next week.

Re: Download and install Root CAs

PostPosted: 15.05.2019, 17:34
by einzelkind
WSUSUpdateAdmin wrote:...will work on it...
That would be great!
I'm looking forward to it. :-)

Best regards,
Michael

Re: Download and install Root CAs

PostPosted: 24.06.2019, 16:01
by WSUSUpdateAdmin
Hi.

This option has been added three weeks ago.
I hope it's sufficient to have it the simple way it's implemented now (just install all .crt and .crl present in ...\win\glb).

Thanks to Dalai! :)

Regards
Torsten

Re: Download and install Root CAs

PostPosted: 24.06.2019, 16:44
by Dalai
WSUSUpdateAdmin wrote:This option has been added three weeks ago.

A couple of days ago I had the chance to take a look at it. It looks fine.

I hope it's sufficient to have it the simple way it's implemented now (just install all .crt and .crl present in ...\win\glb).

Only time will tell... Out of curiosity: Is it possible to exclude certificates from download (apart from editing StaticDownloadLinks-win-glb.txt)?

Thanks to Dalai! :)

You're welcome.

Regards
Dalai

Re: Download and install Root CAs

PostPosted: 15.07.2019, 16:08
by WSUSUpdateAdmin
Hi and sorry for delay!

Dalai wrote:A couple of days ago I had the chance to take a look at it. It looks fine.

:)
Dalai wrote:Out of curiosity: Is it possible to exclude certificates from download (apart from editing StaticDownloadLinks-win-glb.txt)?

You may use ...\exclude\custom\ExcludeListForce-all.txt to exclude even static definitions.

Cheers,
Torsten

Re: Download and install Root CAs

PostPosted: 15.07.2019, 20:00
by boco
As I had to learn the hard way, having

Code: Select all
Includewinglb=Disabled


in the INI works very well for excluding all certificates,too. :oops: