Root Store - secuguru/security-terms GitHub Wiki

A Root Store is a collection of trusted root certificates used by operating systems, web browsers, and other software to establish secure connections over the internet. These root certificates are issued by trusted Certificate Authorities (CAs) and serve as the foundation for digital trust in public key infrastructure (PKI). When your device, application, or browser connects to a website or service using SSL/TLS, the root store is used to validate the legitimacy of the site’s certificate.

Key Concepts of Root Stores:

  1. Root Certificates:
  • Root certificates are the trusted starting points in a chain of trust. These certificates are self-signed and are issued by Certificate Authorities (CAs), which are organizations that verify and authenticate the identity of websites or organizations.
  • When a website presents its certificate (issued by an intermediate or root CA), the operating system or browser verifies it against the root certificates in the root store. If the root of the certificate chain is trusted, the entire chain is considered valid.
  1. Certificate Authorities (CAs):
  • CAs are trusted organizations that issue certificates to websites, applications, or services. Root CAs are the highest level of trust in the PKI hierarchy, and their certificates are pre-installed in root stores.
  • Examples of widely trusted CAs include DigiCert, Let’s Encrypt, GlobalSign, and Entrust.
  1. Chain of Trust:
  • When a client (e.g., a web browser) connects to a server using SSL/TLS, the server provides a certificate chain that includes its own certificate and any intermediate certificates leading up to the root certificate. The root store on the client side verifies the chain, starting from the root, to ensure the certificate is legitimate and trusted.
  1. Locations of Root Stores:
  • Operating Systems: Both Windows and macOS maintain their own root stores. These are updated periodically to add or remove trusted root certificates.
  • Web Browsers: Some browsers, like Mozilla Firefox, use their own root store rather than relying on the operating system’s root store.
  • Mobile Devices: Mobile operating systems like iOS and Android also maintain their own root stores, which are essential for secure communication between apps and services.
  1. Updates and Security:
  • Root stores are regularly updated to include new trusted root certificates or to remove ones that are no longer trusted or have been compromised.
  • For example, if a root certificate authority is found to be issuing fraudulent certificates, the root certificate can be removed from the root store to prevent any certificates issued by that CA from being trusted.
  • Root store updates ensure that users are protected against compromised or outdated root certificates.

Types of Root Stores:

  • Microsoft Windows Root Store: Managed by Microsoft and used by applications running on Windows. It is regularly updated via Windows Update.
  • Apple Root Store: Managed by Apple for macOS and iOS devices, used by Safari and other Apple services.
  • Mozilla Root Store: Managed by Mozilla for Firefox, which uses its own root store independent of the operating system.
  • Android Root Store: Managed by Google and used by Android devices to verify SSL/TLS certificates.

Why Root Stores Are Important:

  • Establish Trust: Root stores ensure that users are only connecting to websites and services that have been authenticated by a trusted CA.
  • Secure Connections: Root stores play a crucial role in enabling SSL/TLS connections, which are used to encrypt data and ensure the security of communication on the internet.
  • Certificate Validation: Without root stores, it would be difficult to verify the authenticity of certificates, making secure connections impossible.

Summary:

A Root Store is a collection of trusted root certificates maintained by operating systems, web browsers, and mobile devices. These root certificates serve as the foundation for validating SSL/TLS certificates, ensuring secure communication between clients and servers. Root stores are updated regularly to maintain trust and security, and they are essential for enabling safe browsing, email, and other internet-based communications.