curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: Certificates from Windows Store

From: Richard Alcock via curl-library <>
Date: Tue, 22 Sep 2020 12:23:08 +0100

On Mon, 21 Sep 2020 at 14:14, David Weisgerber via curl-library
<> wrote:
> Some application servers the application uses get their certificates from Letsencrypt and I notice that, in a newly installed Windows installation, my application would not trust them unless I open the same (HTTPS) site with the Internet Explorer. It seems as if there is a magic download of the root certificates happening when the Internet Explorer visits a SSL site with an unknown root certificate.
> The question is: Is anyone aware of how to emulate this behaviour with the Win32 API without using the Internet Explorer? I searched through the net and did not find any information on what is really going on there.

I think you are seeing Windows "Automatic Root Certificate Update" in
action. I think
describes it as I understand it, despite it apparently being only for
Windows Server 2008.

As I understand it, when you make a call to verify a certificate via
certain Windows APIs, if the root cert is not in the local certificate
store, but is part of the Microsoft Trusted Root Certificate Program,
then it can be downloaded from Windows Update and put into the local
store automatically. Triggering this update is one of the major
reasons to use the Schannel backend for libcurl on Windows, rather
than OpenSSL even with the new system certificate store integration.

Received on 2020-09-22