When you connect the system to the internet and do the update it could download a pack of trusted certificates. These certificates will be added to the trusted root store. Existing ones will simply be IMO simply replaced.
another simple solution that worked for me to install net 4.8 in a fresh win 7sp1 is using the rootsupd.exe to update the certificates, you can download it from here ://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe
However, if you want to establish a reliable PKI, you also need to understand how PKI administrators manage PKI-user-side trust decisions. In this context, the concept of a trust anchor (i.e., a CA that the PKI user explicitly trusts under all circumstances) is particularly important.
Windows 2003 and Windows XP include several mechanisms to control a PKI user's trust anchors. Some are user-driven mechanisms; others are Local Machine Administrator-driven or even Domain or Enterprise Administrator- driven mechanisms. The administrator-driven mechanisms are available only when the PKI client is a member of a Windows 2003 domain and forest infrastructure. Table 1 lists the available mechanisms and their characteristics, which I discuss in more detail in the next sections.
User-Centric PKI Trust ManagementWindows 2003 and XP contain functionality to let PKI users make their own trust decisions. The key to this functionality is a user's certificate store and, more specifically, the trusted root CA's certificate container (aka the root certificate store). To access your personal certificate store, you can use the Microsoft Management Console (MMC) Certificates snap-in or the Microsoft Internet Explorer (IE) certificates viewer. To open the certificates viewer, open IE, select Internet Options, go to the Content tab, and click Certificates.
All CA certificates in the root certificate store container are by default considered trust anchors, and by default, a PKI user controls which CA certificates he or she wants to add to or remove from this container. When a user tries to add a CA certificate to the root store, a dialog box opens that asks the user to confirm that he or she wants to add the certificate to the root store, which Figure 1 shows.
In a default Windows 2003 or XP installation, the root certificate store comes prepopulated with a set of CA certificates so that the user doesn't need to add all CA certificates to his or her store. However, using these certificates isn't a sound security practice; the user is relying on the software vendor's judgment to decide whether a certificate is trustworthy. Enterprises should remove all prepopulated CA certificates and add only the certificates that the IT department considers trustworthy. (In consumer environments, the prepopulated root store is a good solution from an ease-of-use perspective because it removes some of the complexity of working with PKI and PKI-enabled applications.)
Windows 2003 comes with an important new Group Policy Object (GPO) trust management extension. The extension lets administrators set whether a user is allowed to make his or her root certificate store trust decisions and to determine which certificate store containers are considered trust anchor stores. To access the new settings, open the MMC Group Policy Object snap-in, then open the Computer Configuration, Windows Settings, Security Settings, Public Key Policies, Trusted Root Certification Authorities GPO container, and select Properties. To let users make their own trust anchor decisions, select the Allow users to select new root certification authorities (CAs) to trust check box, as Figure 2 shows. If you set Client computers can trust the following certificate stores to Enterprise Root Certification Authorities, only the certificates stored in the CN=Certification Authorities,CN=Public Key Services,CN=Services,CN=Configuration,DC=,DC= AD container will be trusted. If you select Third-Party Root Certification Authorities and Enterprise Root Certification Authorities, the certificates in the above Active Directory (AD) container and the Ones in the certificate store's Third Party Root Certification Authorities container will be trusted.
Independent of the above settings, users can always set the applications or purposes for which they want to trust a particular certificate in their certificate store. To access this functionality, a user needs to open Certificate properties in the Certificates snap-in, go to the Details tab, click Edit Properties, select Enable only the following purposes, and select the applications or purposes for which he or she wants to trust the certificate, as Figure 3 shows. Setting this certificate property affects the selected applications the same as if the certificate contained an extended key usage (EKU) or Application Policy X.509 certificate extension.
Most of the trust anchor certificates in the root store are inherited from the local machine certificate store. Only the local administrator can directly modify the trust anchors on the local machine. To view the content of a machine's certificate store, open the Certificates snap-in and select the local machine. To see the certificates in their personal certificate store that are inherited from the local machine store, users can select Show physical certificate stores in the View options of their personal certificate store. Each Logical Certificate container holds a Local Computer container that stores the certificates inherited from the local machine certificate store.
Centralized User PKI Trust ManagementWindows 2003 provides three ways to centrally control a PKI user's trust anchors. You can manage trust anchors by using GPO settings, the NTAuth AD store, or the Windows Update service.
The two GPOs that let you control a user's trust anchors are the Trusted Root Certification Authorities GPO and the Enterprise Trust GPO. Both GPOs are located in the Computer Configuration, Windows Settings, Security Settings, Public Key Policies GPO container. The GPO settings are automatically downloaded to PKI clients as part of the Group Policy application process on the Windows client.
The Trusted Root Certification Authorities container is used to distribute trustworthy Enterprise CA certificates to PKI users. The CA entries in this container have unlimited trust (as long as the certificates haven't expired).
The Enterprise Trust container contains a set of certificate trust lists (CTLs), which are signed lists of CA certificates. The certificates are considered trust anchors only if the CTL is signed by using a private key whose public key certificate has been issued by another trust anchor. Administrators can limit how long the CTL entries are valid and for which applications they are valid. To do so, open the Group Policy Object snap-in, navigate to the User Configuration\\ Security Settings\\ Public Key Policies\\ Enterprise Trust container, right-click it, and select New, Certificate Trust List to open the Certificate Trust List Wizard, which Figure 4 shows.
The third centralized user PKI trust management solution is the Root Certificate Update Service, which is a Windows Update extension. This service provides a dynamic CA certificate distribution mechanism that can replace the preloaded CA certificates. You install the required client-side software through the Windows 2003 and XP Update Root Certificate component in the Control Panel Add/Remove Programs applet's Add/Remove Windows Components option.
Flexible PKI Trust DefinitionTrust is a fundamental concept of PKI. The enhanced trust features of Windows 2003 PKI simplify PKI user-side trust management and enable PKI users to make some trust decisions on their own. Every PKI user should have some understanding of how he or she can make basic PKI trust decisions.
When investigating TLS connectivity issues, please keep in mind that in the vast majorityof cases they are environment-specific (e.g. certificates are missing from the trusted certificate store)and do not indicate a bug or limitation in Erlang/OTP's TLS implementation. Please go through the steps outlinedin the Troubleshooting TLS guide to gathermore information first.
Certificate/key pairs are generated by tools such as OpenSSL and signed by entities called Certificate Authorities (CA).CAs issue certificates that users (applications or other CAs) use. When a certificate is signed by a CA, they form a chain of trust. Such chains can includemore than one CA but ultimately sign a certificate/key pair used by an application (a leaf or end user certificate).Chains of CA certificates are usually distributed together in a single file. Such file is called a CA bundle.
A TLS-enabled RabbitMQ node must have a set of Certificate Authority certificates it considers to be trusted in a file (a CA bundle),a certificate (public key) file and a private key file. The files will be read from the local filesystem. They must be readable by the effective userof the RabbitMQ node process.
Both ends of a TLS-enabled connection can optionally verifythe other end of the connection. While doing so, they try to locate a trusted Certificate Authority in the certificate listpresented by the peer. When both sides perform this verification process, this is knownas mutual TLS authentication or mTLS.More on this in the Peer Verification section.
In production environments certificates are generated by a commercial Certificate Authorityor a Certificate Authority issued by the internal security team. In those cases Certificate Authoritybundle files very likely will contain more than one certificate. This doesn't change how the bundle fileis used when configuration RabbitMQ as long as the same basic file and path requirements are met.In other words, whether the certificates are self-signed or issued by a trusted CA, they areconfigured the same way. The section on peer verification covers this in detail.
Note that tls-gen and the certificate/key pairsit generates are