9

As I understand the process of verifying a remote computer's SSL certificate, the remote system sends its 'leaf' certificate and any intermediate certificates, but not the root certificate. Executing this openssl command shows that the root certificate is not sent by the remote server:

openssl s_client -showcerts -connect www.stackoverflow.com:443

It is then the responsibility of the client to check that the leaf certificate was indeed signed by the first intermediate certificate, that the first intermediate was signed by the second and so on. Ultimately, the signature on the last certificate provided by the remote system is checked to verify that it was signed by a root certificate that was already trusted - i.e., already in the 'trust store'.

So here's the question: why would you, as the client, ever want to store an intermediate certificate? The Windows certificate store has an area designated for storing "Intermediate Certification Authorities". What is it for? Is there ever a case where storing intermediate certificates is needed?

Dave Mulligan
  • 501
  • 4
  • 7

4 Answers4

4

I believe your understanding is correct. I think Windows stores intermediates because:

1) Having local copies of intermediate certs allows it to "cope" with connection scenarios where the remote server is not chained properly. I've seen scenarios where a web server isn't configured properly but IE doesn't complain.

2) The certificates are used for other Windows-based tools. For example, when analyzing a certificate with the Crypto Shell Extensions program, there's a "Certification Path" tab which tries to show the full chain (not ALWAYS accurate IMHO).

3) It allows the workstation to perform server-based SSL roles if needed (for example if you were to install some local software that had a web interface).

4) It potentially allows Windows, IE, or anything else leveraging the cert store to have a trusted reference point for cert pinning. I'm not sure to what extent Windows actually does this though.

Community
  • 1
Mike B
  • 3,336
  • 4
  • 29
  • 39
1

I can only guess it's to enable caching of frequently used certificates, so that the AIA isn't queried and downloaded for End Entity certs

makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • what is AIA? Why would you want to query it if the certificate was already provided (as part of the default certificate delivery)? – SEJPM May 22 '15 at 19:00
1

An offline machine that wants to still verify code signatures, maybe.

StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86
-1

For clients and browsers I'm not sure why Windows would need to store intermediate certificate.

However, for IIS servers Microsoft has documented that you need to install intermediate certificates if you want them sent during TLS handshakes.

See https://support.microsoft.com/en-us/help/954755/how-to-configure-intermediate-certificates-on-a-computer-that-is-runni

Ed Greaves
  • 99
  • 3