![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 88%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
1,562 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 57.00000000000001%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
@PeterMeagher ,
Thank you for your patience with us. Let me start with some background on why the root cert is needed and how the Trusted root certificate program works .
Why is the root certificate needed in the Trusted root store on any machine ?
Every Operating systems (OS) have a local certificate store where it stores Trusted CA Root certificates and trusted intermediate CA certificates. This helps in verifying the certificate chain by any application or other systems/services . For example If you open https://learn.microsoft.com in Microsoft Edge the browser will be presented with a server side certificate using which the learn.microsoft.com website will try to prove its identity (please check screenshot for reference). The edge browser will call the internal windows security APIs to query the trusted root store for every certificate in the certificate chain as you see in the picture till it reaches the root certificate . It will check multiple other attributes of the certificate like SAN name , key identifier etc. to see if the server certificate is valid and was actually provided by a valid root CA that the OS trusts already . In your case since the OS does not have the certificate that winatp-gw-cus.microsoft.com presents and hence you get the NET::ERR_CERT_AUTHORITY_INVALID error.
How the Trusted Root certificate program works ? Reference
Most of the OS/device/platform software manufacturers contain list of CA certificates which are trusted by default. They run Trusted root certificate programs. Some of the most widely used OSes like windows , iOS , Android , oracle linux etc. have their own root certificate programs as listed below.
The above is just indicative list of most popular programs. There are other vendors who run similar programs. The companies who run Root Certificate authorities share their root CA certificate to the OS/software vendors by participating in the above programs and that is how the Root CA flow to the trusted store for every OS/software/device for end-users to use.
Some of the linux OS like debian use the trusted certificate authority list from the Mozilla root program. I am not sure which version of the linux you are using but as you have mentioned that adding the root certificate to the trusted store within the linux OS fixed the issue, so that tells us that the correct root certificate is not present in the trusted root store on the OS.
Placing root certificate within a trusted store in the OS helps applications or users to validate the certificates presented by any system/app/service and verify the chain upto one of the trusted root certificates. Ideally EC2 linux OS should have had the Microsoft CA certificate and I am not sure why that happened. It can only happen if the EC2 image is customized to remove any certificates or whichever root program they follow does not include all the recent trusted root CA certificate from widely used trusted root programs which every software vendor includes. AWS have their own root certificates but i was not able to find details about thier root Program. It may be something which is not published publicly .
Now coming to your question if this is a good practice to manually add certificates to trusted root or not ? I think in your specific case this is safe to add going forward as long as it is just for this root certificate from Microsoft . The only problem with adding a trusted root certificate manually is that you will need to verify the trusted root certificate yourself and if you are sure that its from the valid provider (like microsoft in this case) then you can safely add it . The onus to verify the security/identity of the certificate lies with the individual doing it . In your case , I would suggest to report this to amazon support so that they can update the certificates within their Linux images to fix this issue broadly for everyone who is trying to use defender for linux servers.
Hope the above provides detailed clarification as you requested. I have included multiple links and information may be a little more than you requested , yet I thought it would be good to add the details to make it more understandable. Should this information help , please do accept the post as answer for others searching for similar queries . In case of any further queries , let us know and we would be happy to answer them.