How to update certificates/CRL on Windows 7 systems that are without support contracts?



  • A quality answer to this question mentions:

    "System is regularly updated with latest patch specifically certificate/CRL from trusted source such as Microsoft."

    How does one update certificates/CRL on Windows 7 systems that do not currently have any support contracts?

    (An attempt to stay on-topic: Please do not use the comments or answers to state that all systems should only use supported operating systems. Tens of millions of Windows 7 systems are still in use in situations where updating the OS is likely to never happen. And millions of systems are still using operating systems that pre-date Windows 7, and likely will never be updated. Of course, if you're willing to provide funding to update all those systems, please do post!)



  • Microsoft provides Certificate/CRL updates offline as well, known as

    CTL Microsoft Trusted Root Program Updates

    You can download the certificate and CRL updates regularly and update the system.

    Below links will be helpful:

    Configure Trusted root

    Microsoft Trusted root program

    authrootstl.cab is generally provided by Microsoft for updates.

    But this is not the only way to get the certificates/CRL updates. Certificates generally contains information like Policy, thumbprints, Certificate Issuer, OCSP URL, CRL Distribution Point etc. These parameters can be used to update the certificate manually or automatically.

    For e.g., below are the sample scripts in PowerShell and Bash for verifying the certificate.

    Script will only work if certificate has OCSP URL/CRL distribution point available.

    Scripts are just for examples and not thoroughly tested.

    PowerShell:

        $certData = Get-ChildItem -Path Cert:\LocalMachine\<STORE> | where {! $_.PSIsContainer}
        
        foreach ($cert in $certData)
        {
                $thumbprint=$cert.Thumbprint
                Export-Certificate -Cert Cert:\LocalMachine\<STORE>\$thumbprint -FilePath C:\Temp\$thumbprint.crt
                certutil.exe -verify C:\Temp\$thumbprint.crt
        }
    

    Change STORE with windows certificate store list.

    Bash:

        for certs in $(find <path_to_cert_dir> -type f)
        do
            ocsp_url=$(openssl.exe x509 -in $certs -noout -ocsp_uri)
            openssl ocsp -issuer <cert_chain.cer> -cert $certs -text -url $ocsp_url > /tmp/output.ocsp
        done
    

    Now process the above output of ocsp as per requirements.

    All certificates may not contain OCSP URL/CRL distribution points so you may have to work with subject or thumbprint and fetch the certificate update manually from CA repository.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2