Share via

SChannel certificate ordering in Windows 11 22H2 using QueryContextAttributes

Nathan 21 Reputation points
2022-10-11T23:17:49.69+00:00

Using QueryContextAttributes with the SECPKG_ATTR_REMOTE_CERT_CONTEXT flag we are seeing certificates returned in a different ordering than what older versions of Windows 11 returns and wanted to confirm that this change was made because there is no documentation concerning it.

Previous versions of Windows would return the certificate chain with the issuer certificate first followed by the subject/leaf certificates, now starting in Windows 11 22H2 (including September and October updates), we are seeing the certificate chain ordering return the subject/leaf certificates first followed by the issuers certificates.

I have filed an issue report with the curl with the details because they are currently affected by the change. https://github.com/curl/curl/issues/9706.

Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

7 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Nathan 21 Reputation points
    2022-10-12T13:51:05.503+00:00

    We are looking for confirmation that the ordering of the certificate chain has changed in recent Windows 11 22H2 when using the QueryContextAttributes() and CertEnumCertificatesInStore() functions.

    We know that other third-party libraries return the subject/leaf certificates first and issuer/ca certificates last. However SChannel did not previously do this prior to Windows 11 22H2. We know this because several open-source projects had to make changes to accommodate this. I have documented it here https://github.com/curl/curl/issues/9706.

    1 person found this answer helpful.
    0 comments
  2. Nathan 21 Reputation points
    2022-10-18T17:33:53.01+00:00

    This certificate is called the leaf certificate because it is the last certificate in the certificate chain and is farthest away from the root certificate.

    Something changed in Win 11 22H2 and that is no longer the case. The leaf certificate is returned first now instead of last.

    1 person found this answer helpful.
    0 comments
  3. Tong Xu - MSFT 2,546 Reputation points Microsoft External Staff
    2022-10-12T06:37:19.783+00:00

    Hi, @Nathan
    Consider it's not a problem with Windows 11.

    When HTTPS requests to browse the certificate chain step by step, it seems that the node is reordering the certificates to return in getPeerCertificates,

    So that they reflect the correct order in the chain of trust (*)

    Use SSL_ get_ peer_ Certificate and SSL_ get_ peer_ cert_ Chain retrieves leaf certificate and original peer certificate from openssl database Then instead of returning the certificates in the original chain order, it scans the chain and by checking the X509_check_ Issued adds certificates in the order they depend on each other

    In this way, it returns certificates in the appropriate dependency order, rather than the original order sent by the peer. It also automatically skips any certificates that do not belong to the chain

    It also adds the issuer of the certificate, even if it is not included in the chain (usually not). In this way, you can not only obtain different certificate orders.

  4. Tong Xu - MSFT 2,546 Reputation points Microsoft External Staff
    2022-10-12T07:20:43.393+00:00

    It is worth noting that the last certificate in the certificate chain must verify the correct content, please refer to this document for details:
    https://learn.microsoft.com/en-us/windows/win32/secauthn/performing-authentication-using-schannel

    https://learn.microsoft.com/en-us/windows/win32/secauthn/manually-validating-schannel-credentials

    In the case of cross-authentication between different intermediate CA certificates, the same terminal certificate also forms multiple certificate chains, which may even point to different root certificates

    0 comments
  5. Limitless Technology 44,766 Reputation points
    2022-10-18T07:14:54.95+00:00

    Hi

    Thank you for posting your query.

    Kindly follow the steps provided below to resolve your issue.

    By default, Schannel validates the server certificate by calling the WinVerifyTrust function; however, if you have disabled this feature using the ISC_REQ_MANUAL_CRED_VALIDATION flag, you must validate the certificate provided by the server that is attempting to establish its identity.

    To manually validate the server certificate, you must first get it. Use the QueryContextAttributes (General) function and specify the SECPKG_ATTR_REMOTE_CERT_CONTEXT attribute value. This attribute returns a CERT_CONTEXT structure containing the certificate supplied by the server. This certificate is called the leaf certificate because it is the last certificate in the certificate chain and is farthest away from the root certificate.

    Go to this link for your reference https://learn.microsoft.com/en-us/windows/win32/secauthn/manually-validating-schannel-credentials

    ------------------------------------------------------------------------------------------------------------------------------------

    If the answer is helpful kindly click "Accept as Answer" and upvote it. Thanks.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.