The other day I posted How to view a certificate programatically (C#) which includes a C# sample that we can use to view a certificate with CryptUIDlgViewCertificate API. This API shows the same dialog that appears when we double-click on the cert file in Explorer.
When testing the sample, I tried it on a .cer file of a root CA which I didn’t trust (yet). I just wanted to view the cert, but I got a very big surprise when I realized CryptUIDlgViewCertificate was showing the cert and installing it at the same time on my Trusted Root Certification Authorities store! Without my consent! I always get a big warning when I try to install a root CA cert on my machine. Why not this time? And, in any case, I just wanted to view the cert, and not install it!
Actually, I repeated the test just by double-clicking on the cert file in Explorer and the same thing happened: I saw the dialog with the CA cert and at the same time it got installed without my consent.
It turned out that this is a feature of Windows called Automatic Root Certificates Update. CryptUIDlgViewCertificate ends up calling CertGetCertificateChain API to build a certificate chain, and this API calls an internal AutoUpdate function. If AutoUpdate detects that Microsoft trusts the CA when building the chain, it installs the CA cert automatically.
Event ID 8 – Automatic Root Certificates Update Configuration
The Automatic Root Certificates Update component is designed to automatically check the list of trusted authorities on the Microsoft Windows Update Web site. Specifically, there is a list of trusted root certification authorities (CAs) stored on the local computer. When an application is presented with a certificate issued by a CA, it will check the local copy of the trusted root CA list. If the certificate is not in the list, the Automatic Root Certificates Update component will contact the Microsoft Windows Update Web site to see if an update is available. If the CA has been added to the Microsoft list of trusted CAs, its certificate will automatically be added to the trusted certificate store on the computer.
In my case, my test CA cert was not on my local copy of the trusted root CA list (Third-Party Root Certification Authorities), but on Microsoft Windows Update Web site. It’s a root CA cert that I got from Spanish Police, and Microsoft trusts them.
I hope this helps.
Alex (Alejandro Campos Magencio)