How Windows 10 certificates create a chain of trust
Certificates in Windows 10 create a chain of trust that confirms the identity of the user accessing corporate resources and ensures that she is doing so over a trusted connection.
Windows 10 certificates, which are responsible for verifying the identity of individuals or entities the OS communicates with, are organized in stores, which are central to all certificate functions.
In most cases, certificate authorities (CAs), whose purpose is to ensure the identity of a certificate holder to establish trusted connections, are responsible for issuing Windows 10 certificates.
The chain of trust
A vendor selling products through its website often assigns a certificate to the website to ensure that its connections are trusted. As with any certificate-based communication, for the user to trust that certificate, a reliable CA that has properly validated the subject's identity should issue it.
An organization can set up its own CA, but most CAs are third-party entities with established reputations and a history of issuing reliable certificates. In either case, the CA can issue certificates that support a variety of use cases, including website authentication, code signing, email messages and more.
Windows 10 trusts any certificate placed in the store, even if it does not come from a trusted CA.
CAs issue certificates based on a hierarchical chain of trust that starts with the CA's trusted root certificate. The root certificate sits on top of the trust hierarchy and provides the foundation for all the other certificates that CA issues. The root certificate is seldom issued directly to a subject, but instead provides the identifying anchor in the chain of trust, with all the child certificates linking back to the root.
Specific child certificates establish intermediary CAs that issue the certificates to the subjects, creating a hierarchical chain made up of multiple tiers. Each Windows 10 certificate lists the complete CA chain, as it applies to that certificate. From the user's perspective, the only thing that matters is that the CA chain is trusted, which implies that the certificates themselves are trusted and, subsequently, so is the certificate's subject.
The chain of trust makes it easier to work with Windows 10 certificates. Windows 10 supports two basic store types:
Local machine certificates are local to the computer, but they are global to all users, so they are well-suited to machine processes such as ASP.NET. Local machine certificates are stored under the HKEY_LOCAL_MACHINE root in the registry.
Current machine certificates are specific to a user account on the computer and are more suited to client applications. Windows stores these certificates under the HKEY_CURRENT_USER root in the registry.
Each store type includes multiple stores that provide the overall certificate organization. Of these stores, one of the most important is Trusted Root Certification Authorities, which contains trusted root certificates issued by CAs. These certificates provide the base for establishing the chain of trust for the individual certificates. In this way, any certificates that link back to these root certificates are trusted.
Certificate-based validation process
The certificates in the Trusted Root Certification Authorities store are pivotal to most certificate-based communications between a Windows 10 computer and other entities. By default, the store is configured with a set of trusted public CAs that conform to the Microsoft Root Certificate Program. The certificates provide the primary verification within the CA chain of trust.
The following steps show an example of how a Windows 10 browser might interface with a secure website when a Secure Sockets Layer certificate is assigned to that site:
The CAs add a trusted root certificate to the Windows Trusted Root Certification Authorities store. This can be done by default or an IT administrator can install it manually.
The CA verifies the subject's server and domain and then issues a certificate to the subject, using an intermediary CA.
The subject installs the certificate on the web server and makes it available for user connections.
The user connects to the website through a browser, which initiates the process for establishing a secure connection.
The web server sends the browser a copy of the certificate.
The browser verifies whether the certificate can be trusted by authenticating it against the certificates in the computer's Trusted Root Certification Authorities store, checking the public key and valid dates.
If the certificate is valid, the browser establishes a secure connection with the website, and the user can browse the site and access its resources. The user can also view the certificate by clicking the lock icon associated with the URL in the address bar. Along with the other information, the certificate will display the CA chain of trust.
If the browser interface process skips any of these steps, the user will not be able to connect to the website.
Using Group Policy, they can also distribute Windows 10 certificates to organizational units so all the members use similar trust lists. In addition, IT admins can manually install certificates on a computer. Windows 10 trusts any certificate placed in the store, even if it does not come from a trusted CA, so IT should use caution when installing certificates on managed computers.
