Check Computer Root Trust Stores

TL;DR

Your computer relies on more than just the 46 root certificates you might be aware of. This guide shows you how to find and examine other trust stores used by different parts of your system – browsers, operating system components, Java, Python, etc. It’s important because compromised roots in these less-obvious places can still let attackers bypass security.

Finding Other Roots of Trust

1. Understand What a Root Store Is: A root store is simply a collection of trusted certificates that your computer uses to verify the identity of websites and software. Different applications maintain their own stores, separate from the main operating system trust store.
2. Check Your Web Browsers: Browsers have their *own* certificate authorities (CAs) built in. These are often updated independently of your OS.
   • Chrome/Edge: Type chrome://settings/security into the address bar and click ‘Manage certificates’.
   • Firefox: Go to Settings > Privacy & Security > Certificates > View Certificates.
3. Examine the Operating System Trust Store (Windows): Windows uses the Certificate Manager.
   • Open ‘certmgr.msc’ by pressing Win+R, typing it in and pressing Enter.
   • Expand ‘Trusted Root Certification Authorities’. This is where your 46 certificates (and others) will be located.
4. Examine the Operating System Trust Store (macOS): macOS uses Keychain Access.
   • Open Keychain Access (Applications > Utilities).
   • Select ‘System’ keychain.
   • Search for certificates with ‘Root’ in their name.
5. Check Java’s Trust Store: If you have Java installed, it has its own trust store.
   • Open a command prompt or terminal.
   • List the contents of the keystore using:

     keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

     (Replace $JAVA_HOME with your Java installation directory.) You’ll be prompted for a password (usually ‘changeit’).

6. Check Python’s Trust Store: Python uses the system trust store by default, but some packages might bundle their own.
   • Use the `certifi` package to find where Python is looking for certificates:

     python -c "import certifi; print(certifi.where())"

   • Inspect the contents of that file (it’s usually a .pem file) using a text editor or command-line tool like openssl.

     openssl x509 -in /path/to/certifi/cacert.pem -text

7. Check Other Applications: Some applications (like email clients, VPN software, and development tools) may have their own trust stores.
   • Consult the application’s documentation to find out how to access its certificate store. Look for settings related to ‘security’, ‘certificates’, or ‘SSL/TLS’.
8. Review Package Managers: If you use package managers like `apt` (Debian/Ubuntu) or `yum` (Red Hat/CentOS), they also maintain their own trust stores for verifying downloaded packages.
   • These are usually system-level and managed by the OS, but it’s worth being aware of them.
9. Look for Configuration Files: Some applications store certificate paths in configuration files.
   • Search your system for files containing strings like ‘certificate’, ‘CA’, or ‘SSL’.

What to Do With This Information

Once you’ve identified these trust stores, consider the following:

• Keep them updated: Regularly update your operating system and applications.
• Verify certificates: Check that the certificates in each store are from trusted CAs.
• Be cautious of self-signed certificates: Self-signed certificates should only be used in controlled environments.