Root Cert Not included in Windows 10?

apparently despite that it was said that LE is included in MS's root Program, on a 21h2 system we just set up, it tried to chain down to the DST Root via the LE root (so leaf -> intermediate -> ISRG X1 -> DST X3)

might there be a need to check this with microsoft so they actually include you?

How are you testing that?
Windows is known to be lazy.
See: ISRG Root lazy loading problem + missing from (random) updated Windows 10 versions - Help - Let's Encrypt Community Support (letsencrypt.org)

3 Likes

We use a hotspot we set up for setting up devices and the login page for it failes with a certificate being expired.

So it apparently does have the DST root tho even if it is expired

Also would adding a few extra certs, especially the root of what's probably the most used CA in the whole internet for websites especially with how bloated windows has become, be that much of an issue

So, as @rg305 said, Windows does this "lazy loading" of certificates. If you go to https://valid-isrgrootx1.letsencrypt.org/ (or any other Let's Encrypt secured site) in Edge (or Chrome or any other system that uses the system trust store), it will detect that the root isn't one in its list, check with Microsoft for info on that root, and download and add it to its trust store.

So, if that's not happening with the test you're doing, one of these things must be happening:

  1. The software you're using to test isn't using the system security resolver correctly, trying to use the trust store directly instead of through the APIs that will do this lazy loading. (As was the case in the linked thread, where some VPN software was doing that.)
  2. The software you're using to test uses its own root store, rather than the crypto system built into Windows, but for some reason doesn't have the Let's Encrypt root. (Or, for instance Firefox does its own thing and handles security itself, but even pretty old versions have the root, so I don't think this is likely for your scenario.)
  3. There's some system administration configuration (like Group Policy) which is preventing the download of new root certificates. (Unlikely in your case, but this was an issue with some people using Windows XP when DST Root CA X3 expired as they had been configured to not have auto-updates of the trust store.)
  4. The server you're trying to connect to isn't sending a full certificate chain that includes the intermediate certificates, so Windows doesn't know how to build a chain to the root until it has seen the intermediate from connecting to some other server. (I suspect this is the likely case for you.)
4 Likes

actually it's option 5.
There isn't even proper internet access established when connecting to the page (as mentioned it's a hotspot login page).

I am just using the chrome-edge

Ah, of course. I should have thought of that. Yes, Microsoft assumes that you wouldn't be in a case where one was trying to validate a new certificate while not having Internet access to them. It looks like that assumption doesn't hold in your case.

It's not clear to me how Microsoft chooses which roots get actually pre-bundled rather than only-download-on-demand. I suppose it's possible that Let's Encrypt might have more luck reaching out to them and asking than you might, but I wouldn't expect a whole lot of luck either way. (To be slightly more optimistic, in this thread Let's Encrypt contacted Microsoft to change the root in their store to be trusted for Client Authentication, so it looks like changes of some sort are at least possible.)

In the meantime, I think that if you're going to have systems without Internet access that need to be able to validate Let's Encrypt certificates, you'll need to add the root to their trust store manually, by like downloading ISRG Root X1 self-signed pem from Let's Encrypt directly and installing it, like via USB stick or adding it to the image you're cloning from or whatever "sneakernet"/non-online method makes sense for you.

5 Likes

at least for now it should be enough if edge just continues to let me bypass the warning, even if obviously far from ideal, although the most used CA on the web should maybe included in the long run, lol

tho as its our own hotspot, maybe knowing from which address/url it's being pulled might help, that way we possibly can change the settings

For windows to auto populate it's root certificates you need to allow outgoing http/https connections (to a variety of locations), windows update must be active and working and group policy must allow Automatic Root Certificates Update.

As mentioned by others Windows can lazy load roots and intermediates but it only does that when you make an outgoing https request to an resource that uses that root. Installing ISRG Root X1 (self signed) is universally the solution on windows. DST Root X3 will not be trusted by windows.

It's disappointing that Windows has not bundled ISRG Root X1 but if you are deploying multiple systems you may want to use your own image anyway.

4 Likes

you dont happen to know which locations, do you?

as the pcs are seeing their first connection to any network after installing, that area is no problem.

it kinda is tho, as it chains down to DST meaning it is stored, and complains about it being expired rather than unknown.

Trust is Boolean: It is either trusted or it is not.
Thus, "expired" is "not trusted".

2 Likes

then why would it still be in the trust store then?

Nothing is ever automatically deleted from the trust store.
If it expires, then it expires.
If it becomes compromised, then it is moved to untrusted.

2 Likes

well I would have expected it to be removed from newer OS versions tbh

Retaining expired certificates can be a requirement, depending on the certificate's purpose:

It looks like DST Root CA X3 was enabled for timestamping/email signing which can have similar requirements regarding retroactive signature verification, so retaining it makes sense for Microsoft.

Other root stores (especially those that only cater for server/client authentication, i.e. browser trust stores) generally remove expired roots, yes.

(Though MS seems to generally just to not care enough regardless of certificate's purpose)

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.