Message335850
quick addition: It looks like all recent Windows versions (Win8/Server 2012, Win8.1/Server 2012R2, Win10 (older versions)/Server 2016, Win10-1809/Server 2019 behave the same (= only very few RootCAs are pre-installed out of the box, additional ones are added on the fly when HTTPS requests are being made via the SCHANNEL api).
Possible workaround for Windows admins:
Import the RootCA certs from "certifi" into the Windows local machine Trusted RootCA store.
To do so, first download and convert the certifi cabundle (https://certifi.io) to a pfx container, i.e. with something like:
wget -O certs.pem https://mkcert.org/generate/
openssl pkcs12 -export -nokeys -out certs.pfx -in certs.pem
Then import the pfx via the certlm.msc GUI or the certutil.exe cmdline tool. This imports all certs at once. This can also be centralized for a larger number of machines via an Active Directory Group Policy (Local Machine -> Windows Settings -> Security Settings -> PKI).
This isn't ideal as it puts the admin into the responsibility to update the certstore/GPO whenever there's a change in the certifi cabundle, but works well for me besides that. |
|
Date |
User |
Action |
Args |
2019-02-18 16:50:46 | chris-k | set | recipients:
+ chris-k, paul.moore, christian.heimes, tim.golden, zach.ware, steve.dower |
2019-02-18 16:50:46 | chris-k | set | messageid: <1550508646.46.0.163565845406.issue36011@roundup.psfhosted.org> |
2019-02-18 16:50:46 | chris-k | link | issue36011 messages |
2019-02-18 16:50:46 | chris-k | create | |
|