Download and install Root CAs

Download and install Root CAs

Postby Dalai » 26.03.2019, 19:59

Hi there. I have another feature request :).

Inspired by this thread viewtopic.php?f=6&t=9006 (and as suggested in older threads [1] and [2]) I suggest to add a feature to download and install MS Root CAs before any update or feature is installed on the clients. Missing root certificates prevent the installation of certain updates and software like .NET Framework when a client system is completely offline :!: Some Windows Update prerequisite updates might contain the MS Root CAs (like the new ones for w61), but others might not. That's why I think adding certificates is the better and more flexible way.

I'm not sure whether or not MS would complain when WOU shipped the certificates, but to make sure they don't I suggest to download them instead. This should be easy to implement as well. The certificates' download URLs can be found in the MS PKI repository. Downloading can be done the usual way (wget, aria2). The import on the clients can be done via certutil.exe, like this:
Code: Select all
for /F %%F IN ('dir /b wsusoffline\client\certs\*.crt') DO (
    %SystemRoot%\system32\certutil.exe -addstore Root "%%~F"
)
It might not be the best way to add certificates this way because all certs are added to the Root certificate store; this may open holes to the system's security (and even add unwanted certs). Using a (static) text file that contains the certificate names and the corresponding certificate store can prevent that:
Code: Select all
for /F "tokens=1,2 delims=," %%F IN (wsusoffline\certs\list.txt) DO (
    if exist "wsusoffline\certs\%%~F" %SystemRoot%\system32\certutil.exe -addstore %%G "wsusoffline\client\certs\%%~F"
)
with the text file looking like this:
Code: Select all
MicRooCerAut2011_2011_03_22.crt,Root
MicRooCerAut_2010-06-23.crt,Root
somecert.crt,AuthRoot
someothercert.crt,TrustedPeople


_____

The mechanism could even be expanded to download the current certificates which would then be independent from the URLs in MS's PKI repo, but could also add unwanted certificates to the store, depending on the implementation. Different ways to download and install the certificates can be found in the article Updating List of Trusted Root Certificates in Windows 10 / 7. The download would be done by certutil.exe or wget/aria2, depending on the method.

Regards
Dalai
Last edited by Dalai on 06.05.2019, 02:34, edited 2 times in total.
Reason: The certificates must be located in wsusoffline\client\ instead of wsusoffline\
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00

Re: Download and install Root CAs

Postby rbronca » 27.03.2019, 04:39

If you head down that path adding the MS Root CA's, then make sure you also add the revocation list as well.
Given their criticality in patching, ideally the wsusoffline patching process should download the latest versions when checking for updates.
To mitigate any concerns others may have, a checkbox similar, or even replacing the "update Silverlight" one could be provisioned, allowing the choice to deploy these certificates or not.
Does anyone still care about Silverlight?
rbronca
 
Posts: 52
Joined: 19.08.2015, 08:14

Re: Download and install Root CAs

Postby aker » 27.03.2019, 08:57

Could we then also implement the TimeStamp-CAs?
Wer Rechtschreibfehler findet, darf sie behalten oder an den Meistbietenden versteigern. / Everybody finding a misspelling is allowed to keep or sell it.
aker

WSUS Offline Update „Community Edition“
https://gitlab.com/wsusoffline/wsusoffline/-/releases
aker
 
Posts: 3999
Joined: 02.03.2011, 15:32

Re: Download and install Root CAs

Postby Dalai » 27.03.2019, 17:27

Although I only mentioned the MS Root CAs, I implied that CRLs and the Timestamp CAs and similar certs would be downloaded and installed the same way. But I think you can agree that the MS Root CAs are the most important ones.

rbronca wrote:To mitigate any concerns others may have, a checkbox similar, or even replacing the "update Silverlight" one could be provisioned, allowing the choice to deploy these certificates or not.

Yes, and no. With a simple checkbox one can only decide if the certs are installed or not - all or none of them. Hence my suggestion with the text file, so users are able to decide which certs they want or don't want. Anyway, it's not my call to decide whether or not such text file makes sense ;).

Regards
Dalai
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00

Re: Download and install Root CAs

Postby WSUSUpdateAdmin » 10.05.2019, 21:21

Sorry, missed this topic/thread and will work on it, hopefully next week.
WSUSUpdateAdmin
Administrator
 
Posts: 2245
Joined: 07.07.2009, 14:38

Re: Download and install Root CAs

Postby einzelkind » 15.05.2019, 17:34

WSUSUpdateAdmin wrote:...will work on it...
That would be great!
I'm looking forward to it. :-)

Best regards,
Michael
einzelkind
 
Posts: 3
Joined: 04.03.2019, 17:52
Location: Deutschland (Germany)

Re: Download and install Root CAs

Postby WSUSUpdateAdmin » 24.06.2019, 16:01

Hi.

This option has been added three weeks ago.
I hope it's sufficient to have it the simple way it's implemented now (just install all .crt and .crl present in ...\win\glb).

Thanks to Dalai! :)

Regards
Torsten
WSUSUpdateAdmin
Administrator
 
Posts: 2245
Joined: 07.07.2009, 14:38

Re: Download and install Root CAs

Postby Dalai » 24.06.2019, 16:44

WSUSUpdateAdmin wrote:This option has been added three weeks ago.

A couple of days ago I had the chance to take a look at it. It looks fine.

I hope it's sufficient to have it the simple way it's implemented now (just install all .crt and .crl present in ...\win\glb).

Only time will tell... Out of curiosity: Is it possible to exclude certificates from download (apart from editing StaticDownloadLinks-win-glb.txt)?

Thanks to Dalai! :)

You're welcome.

Regards
Dalai
Dalai
 
Posts: 1041
Joined: 12.07.2016, 21:00

Re: Download and install Root CAs

Postby WSUSUpdateAdmin » 15.07.2019, 16:08

Hi and sorry for delay!

Dalai wrote:A couple of days ago I had the chance to take a look at it. It looks fine.

:)
Dalai wrote:Out of curiosity: Is it possible to exclude certificates from download (apart from editing StaticDownloadLinks-win-glb.txt)?

You may use ...\exclude\custom\ExcludeListForce-all.txt to exclude even static definitions.

Cheers,
Torsten
WSUSUpdateAdmin
Administrator
 
Posts: 2245
Joined: 07.07.2009, 14:38

Re: Download and install Root CAs

Postby boco » 15.07.2019, 20:00

As I had to learn the hard way, having

Code: Select all
Includewinglb=Disabled


in the INI works very well for excluding all certificates,too. :oops:
Microsoft update catalog: http://catalog.update.microsoft.com/v7/site/
Windows Install media download: https://support.microsoft.com/en-us/help/15088/windows-create-installation-media
boco
 
Posts: 2391
Joined: 24.11.2009, 17:00
Location: Germany


Return to Anregungen / Suggestions

Who is online

Users browsing this forum: No registered users and 35 guests