Jump to content
MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. ×

Root Certificates and Revoked Certificates for Windows XP


heinoganda
 Share

Recommended Posts

Thanks, Mcinwwwwwwwwl and heino.  What version of certupdater should I be running on my XP machine, and should I just run it, or should I be doing something special with its folder or files?  I have been using Cert_Updater_v1.6.exe, but it came with other files that I don't understand.

I notice that many incoming emails on my XP machine (coming into Outlook 2003) have images that don't show -- I get blanks and a small square with a red X -- and yes I run certupdater every few months.  Maybe I'm NOT picking up the right cert files ???

Link to comment
Share on other sites


1 hour ago, glnz said:

I notice that many incoming emails on my XP machine (coming into Outlook 2003) have images that don't show -- I get blanks and a small square with a red X -- and yes I run certupdater every few months.  Maybe I'm NOT picking up the right cert files ?

Images often downloaded separately from the email that contains them because they're so large. Outlook uses IE to download these images. If IE can't download an image you'll get the red X, but there are lots of reasons IE might not be able to download from a particular server besides a certificate problem. For example, there may not be a TLS cipher that both the server and IE support. You may find that installing @heinoganda's version of ProxHTTPSProxyMII will resolve many of those download failures.

  • Like 2
Link to comment
Share on other sites

CertUpd.jpg

Update for root certificates:

New:

CN = A-Trust-Root-07
OU = A-Trust-Root-07
O = A-Trust Ges. f. Sicherheitssysteme im elektr. Datenverkehr GmbH
C = AT

 

Those using heinoganda's Cert_Updater.exe should run it ASAP. Others needing a redistributable rootsupd.exe should follow his instructions for creating their own, or PM at 5eraph for an updated EXE file.

:)

  • Like 5
Link to comment
Share on other sites

On 11/11/2019 at 5:27 PM, Mathwiz said:

Images often downloaded separately from the email that contains them because they're so large. Outlook uses IE to download these images. If IE can't download an image you'll get the red X, but there are lots of reasons IE might not be able to download from a particular server besides a certificate problem. For example, there may not be a TLS cipher that both the server and IE support. You may find that installing @heinoganda's version of ProxHTTPSProxyMII will resolve many of those download failures.

ProxHTTPSProxy is really wonderful tool. It allows access to many sites blocked and also to private & pubblic institution website not avaible before partially or totally (graphic defects/certificate errors/lack of visualization elements/address not reachable).

The question is: can we safely access these sites, through the ProxHTTPSProxy, entering sensitive credentials without any risk whatsoever (privacy, data theft, etc..)?

I suppose ProxHTTPSProxy couldn't expose severe security holes (otherwise Mr. Heinoganda would have warned about it) but, just to clear the field of doubts, are any security implications known?  

Link to comment
Share on other sites

On 11/18/2019 at 9:58 AM, Vistaboy said:

can we safely access these sites, through the ProxHTTPSProxy, entering sensitive credentials without any risk whatsoever (privacy, data theft, etc..)?

IMO yes; it's safe. Older, "weaker" encryption is used between the browser (IE or Chrome) and the so-called "front" server, and data is unencrypted between the "front" and "back" servers; but all this takes place within your own PC. No unencrypted or weakly-encrypted data ever leaves the PC. Thus, the connection between your PC and the Web server you're using will be as secure as the Web server is configured to make it.

It's conceivable that malware could be written to exploit ProxHTTPSProxy, but the number of folks using it is pretty tiny, so I doubt anyone would bother.

  • Like 3
Link to comment
Share on other sites

  • 3 months later...

Can someone please PM me the updater, nether the links #1 work for me.

 

On second link I get "Unable to read session config"

 

lol I got about 5 different people PM the same attachment hahah thanks everyone I'm flattered

Edited by shorterxp
Link to comment
Share on other sites

  • 2 weeks later...
*******************************************************
* authroots.sst         2020-02-26 22:33  Roots       *
* delroots.sst          2019-08-21 22:44  Roots       *
* roots.sst             2019-07-23 23:27  Roots       *
* updroots.sst          2020-02-26 22:33  Roots       *
* disallowedcert.sst    2019-08-13 17:18  Revoked     *
*******************************************************
*******************************************************
*                                                     *
*                 Roots  Certificates                 *
*                                                     *
*                successfully updated!                *
*                                                     *
*******************************************************
*******************************************************
*                                                     *
*                Revoked  Certificates                *
*                                                     *
*                successfully updated!                *
*                                                     *
*******************************************************
Aby kontynuować, naciśnij dowolny klawisz . . .

 

I wasn'tgetting into details what ahve changed, but it looks like update won't harm anyone, and might help :)

  • Like 3
Link to comment
Share on other sites

  • 2 weeks later...
9 hours ago, FranceBB said:

Did it go offline itself or did someone make you remove it? 'cause if you want I can upload it back to Mega.

Why Mega and not Mediafire? Mediafire not limited and persists decades :thumbup. Mega Bandwidth Limit Exceeded :realmad:

I have made a batch script for update my Windows 8 Certificates donwloading rootsupd.zip from Kaspersky:

 

@Echo Off
Title Roots and Revoked Certificates Updater (Batch Edition)
Echo ===========================================================================
For /F "tokens=1,2,3 delims=.-/ " %%a In ('Date /T') Do Set "wd=%~dp0CertUpd_%%a-%%b-%%c"
Echo Creating Working directory ^(%wd%^) ...
MD "%wd%" & CD /D %wd%
Echo:
Echo Creating VBScript downloader ...
Echo:
(
  Echo Set xhttp = CreateObject^("MSXML2.XMLHTTP"^)
  Echo Set strm = CreateObject^("ADODB.Stream"^)
  Echo xhttp.open "GET", WScript.Arguments^(0^), False
  Echo xhttp.send
  Echo strm.Type = 1
  Echo strm.Open
  Echo strm.Write xhttp.ResponseBody
  Echo strm.SaveToFile WScript.Arguments^(1^), 2
  Echo strm.Close
  Echo Set xhttp = Nothing : Set strm = Nothing
) > dwn.vbs
Echo Creating VBScript UnZip ...
(
  Echo Set shl = CreateObject^("Shell.Application"^)
  Echo Set zip = shl.NameSpace(WScript.Arguments^(0^)^).items
  Echo shl.NameSpace(WScript.Arguments^(1^)^).CopyHere^(zip^)
  Echo Set xhttp = Nothing : Set strm = Nothing
) > uzip.vbs
Echo:
Echo Downloading rootsupd.zip ...
Set "url=https://media.kaspersky.com/utilities/CorporateUtilities/rootsupd.zip"
CScript.exe /NoLogo dwn.vbs %url% rootsupd.zip
Echo:
Echo UnZip rootsupd.zip ...
CScript.exe /NoLogo uzip.vbs "%wd%\rootsupd.zip" "%wd%"
"%wd%\rootsupd.exe" /Q /C /T:"%wd%"
Echo:
Echo Downloading .sst files
Set "url=http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/"
Set "files=authroots.sst updroots.sst roots.sst delroots.sst"
For %%a In (%files%) Do CScript.exe /NoLogo dwn.vbs %url%%%a %%a
Echo:
Echo Installing Certificates
updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst
Echo:
Echo Finish :-)
Pause

 

BUT in Clean Windows XP do not using https autentification to Kaspersky T_T. TLS1.1, TLS1.2 problems?. Anyway the following bacth script works perfectly on a clean windows xp, downloading rootsupd.exe from web.archive.org:

@Echo Off
Title Roots and Revoked Certificates Updater (Batch Edition)
Echo ===========================================================================
For /F "tokens=1,2,3 delims=.-/ " %%a In ('Date /T') Do Set "wd=%~dp0CertUpd_%%a-%%b-%%c"
Echo Creating Working directory ^(%wd%^) ...
MD "%wd%" & CD /D %wd%
Echo:
Echo Creating VBScript downloader ...
Echo:
(
  Echo Set xhttp = CreateObject^("MSXML2.ServerXMLHTTP"^)
  Echo Set strm = CreateObject^("ADODB.Stream"^)
  Echo xhttp.SetOption^(2^) = 13056
  Echo xhttp.open "GET", WScript.Arguments^(0^), False
  Echo xhttp.send
  Echo strm.Type = 1
  Echo strm.Open
  Echo strm.Write xhttp.ResponseBody
  Echo strm.SaveToFile WScript.Arguments^(1^), 2
  Echo strm.Close
  Echo Set xhttp = Nothing : Set strm = Nothing
) > dwn.vbs
Echo:
Echo Downloading rootsupd.exe ...
Set "url=https://web.archive.org/web/20170829230259/http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe"
CScript.exe /NoLogo dwn.vbs %url% rootsupd.exe
Echo:
Echo Extract rootsupd.exe ...
"%wd%\rootsupd.exe" /Q /C /T:"%wd%"
Echo:
Echo Downloading .sst files
Set "url=http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/"
Set "files=authroots.sst updroots.sst roots.sst delroots.sst"
For %%a In (%files%) Do CScript.exe /NoLogo dwn.vbs %url%%%a %%a
Echo:
Echo Installing Certificates
updroots.exe authroots.sst
updroots.exe updroots.sst
updroots.exe -l roots.sst
updroots.exe -d delroots.sst
Echo:
Echo Finish :-)
Pause

 

Edited by EdSon
Link to comment
Share on other sites

  • 2 weeks later...

CertUpd.jpg

Update for root certificates:

New:

CN = Microsoft ECC Root Certificate Authority 2017
O = Microsoft Corporation
C = US

CN = Microsoft EV ECC Root Certificate Authority 2017
O = Microsoft Corporation
C = US

CN = Microsoft EV RSA Root Certificate Authority 2017
O = Microsoft Corporation
C = US

CN = Microsoft RSA Root Certificate Authority 2017
O = Microsoft Corporation
C = US

CN = TunTrust Root CA
O = Agence Nationale de Certification Electronique
C = TN

 

Those using heinoganda's Cert_Updater.exe should run it ASAP. Others needing a redistributable rootsupd.exe should follow his instructions for creating their own, or PM at 5eraph for an updated EXE file.

:)

  • Like 4
Link to comment
Share on other sites

Heinoganda,

I would like to use your updater, but before doing so, I would like to ask whether it works for Windows XP x64 SP2 (NT 5.2) as well? System's English with no MUI installed, but some components differ from regular 32-bit XP. It never got the TLS 1.2 update from the POSReady2009 branch of XP for instance. Also, it has system32/syswow64, like other 64-bit Windows systems, and the registry hive is split between 32/64-bit in a similar fashion.

Can I still use your program on XP x64, or is this completely untested?

Thank you!

Link to comment
Share on other sites

1 hour ago, GrandAdmiralThrawn said:

Can I still use your program on XP x64, or is this completely untested?

Unfortunately I have not yet tested it in WX Pro x64, you would have to do that.

:)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share


×
×
  • Create New...