none
Where is the Untrusted Certificate store managed on Windows 2012 / IE10? RRS feed

  • Question

  • If I look on Windows 2012 with IE10 I don't see any revoked certificates in the Untrusted Certificate store. How does the CryptoApi know if certificates are revoked?

    I've seen the CTL Disallowed list, but that list is not complete with all thumbprints from revoked certificates if I compare it to previous OS versions.
    And is there an easy way to see these certificate properties because it only lists thumbprints?

    cheers,
    Matthijs


    • Edited by WijersM Monday, January 7, 2013 9:05 PM
    Monday, January 7, 2013 8:59 PM

Answers

  • If I look on Windows 2012 with IE10 I don't see any revoked certificates in the Untrusted Certificate store. How does the CryptoApi know if certificates are revoked?


    Hi,

    Please provide more information about Windows 2012. I am not sure what's the meaning of Windows 2012.

    Regards.


    Spencer
    TechNet Community Support

    Wednesday, January 9, 2013 3:42 AM
    Moderator

All replies

  • If I look on Windows 2012 with IE10 I don't see any revoked certificates in the Untrusted Certificate store. How does the CryptoApi know if certificates are revoked?


    Hi,

    Please provide more information about Windows 2012. I am not sure what's the meaning of Windows 2012.

    Regards.


    Spencer
    TechNet Community Support

    Wednesday, January 9, 2013 3:42 AM
    Moderator
  • Hi,

    you can replace Windows 2012 with Microsoft Windows Server 2012 or Windows 8. See the following picture (IE -> Options -> Content -> Certificates -> Untrusted Publishers):

    This BTW identical with

    Previous Windows versions listed every untrusted certificate. This was helpful, because you were able to verify which certificate was blocked. Do you remember http://technet.microsoft.com/en-us/security/advisory/2798897 ? There's an FAQ entry "After applying the update, how can I verify the certificates in the Microsoft Untrusted Certificates Store?" describing that this is the way you should verify...

    But it seems like that does not apply to systems using the automatic updater of revoked certificates. But this will raise the question:

    How should one verify, that these certificates are really blocked?

    XP/Server 2003 will list these certificates (these systems currently lists 58 blocked certificates). But Windows 7/Server 2008 R2 for example only list 27 blocked certificates (the certificates from the mentioned advisory aren't listed for example). And now, Windows 8/Server 2012 doesn't list any blocked certificate...

    Well, you can filter for CAPI2 events in the application log. You should find an event like

    "Successful auto update of disallowed certificate list with effective date: Tuesday, 1. Januar 2013 00:50:01."

    But you don't really know what is blocked.


    Regards, Thomas

    Thursday, March 7, 2013 9:34 AM