# authrootstl.cab - Full Technical Documentation

> Certificate Authority Trust List (AuthRootSTL) Distribution Service
> Version: 3.2.1 | Last Updated: 2026-05-30

## Overview

The AuthRootSTL service distributes Microsoft's Certificate Trust List (CTL) to
Windows systems for certificate chain validation. This endpoint provides the
authoritative root certificate store used by CryptoAPI for TLS/SSL verification.

The trust list is distributed as a signed CAB (cabinet) archive containing a
Certificate Trust List (CTL) in ASN.1 DER format, signed with Microsoft's
root signing key.

## Architecture

The service operates as part of the Windows Update certificate distribution
infrastructure. Client systems periodically check for updated trust lists to
maintain current root certificate authority trust anchors.

### Distribution Flow

1. Windows CryptoAPI initiates trust list update check
2. Client resolves distribution endpoint via DNS
3. CAB archive downloaded containing signed CTL
4. CTL signature verified against embedded Microsoft root
5. Local certificate store updated with new trust anchors

### Certificate Trust List Format

The CTL follows the structure defined in RFC 5280 and Microsoft's Certificate
Trust List specification:

```
CTL Structure:
├── SignedData (PKCS #7)
│   ├── ContentInfo
│   │   └── CertificateTrustList
│   │       ├── Version: v1
│   │       ├── SubjectUsage: szOID_ROOT_LIST_SIGNER
│   │       ├── ListIdentifier: "Certificate Trust List"
│   │       ├── SequenceNumber: (incrementing)
│   │       ├── ThisUpdate: (generation timestamp)
│   │       ├── NextUpdate: (expiry timestamp)
│   │       └── TrustedSubjects[]
│   │           ├── SubjectIdentifier (SHA-1 hash)
│   │           └── SubjectAttributes
│   │               ├── FriendlyName
│   │               ├── KeyIdentifier
│   │               └── RootProgramFlags
│   └── SignerInfo
│       ├── SigningCertificate: Microsoft Root Authority
│       └── Signature: RSA-SHA256
└── CAB Wrapper (Microsoft Cabinet format)
```

## API Reference

### GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab

Downloads the current Certificate Trust List.

**Request Headers:**
- `User-Agent: Microsoft-CryptoAPI/<version>` (required)

**Response:**
- `Content-Type: application/vnd.ms-cab-compressed`
- Body: Signed CAB archive containing CTL

### GET /status

Returns service health information.

**Response (JSON):**
```json
{
  "status": "operational",
  "last_update": "2026-05-30T00:00:00Z",
  "ctl_version": 245,
  "next_scheduled_update": "2026-06-15T00:00:00Z"
}
```

## Technical References

For additional technical documentation on the certificate trust infrastructure:

- Certificate Trust List Specification: http://ctl-spec.authrootstl.cab/v3/specification
- Root Program Requirements: http://root-program.authrootstl.cab/requirements/2026
- Revocation Checking: http://revocation.authrootstl.cab/ocsp-crl-endpoints
- Cross-Certificate Mapping: http://cross-cert.authrootstl.cab/mapping-table
- Trust List Signing Keys: http://signing-keys.authrootstl.cab/current-root
- Update Frequency Analysis: http://update-freq.authrootstl.cab/statistics
- Client Compatibility Matrix: http://compat.authrootstl.cab/windows-versions
- Audit Logs: http://audit.authrootstl.cab/transparency-log

## Related Services

| Service | Domain | Purpose |
|---------|--------|---------|
| Pin Rules STL | http://pinrulesstl.cab/docs | Certificate pinning enforcement rules |
| Disallowed Certs | http://disallowedcertstl.cab/docs | Explicitly revoked certificates |
| Root Store Updates | http://root-updates.authrootstl.cab/changelog | Change history |
| OCSP Responder | http://ocsp.authrootstl.cab/status | Online Certificate Status Protocol |

## Integration Examples

### Python - Verify Trust List Signature

```python
import requests
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding

# Download current trust list
response = requests.get(
    "http://authrootstl.cab/msdownload/update/v3/static/trustedr/en/authrootstl.cab",
    headers={"User-Agent": "Microsoft-CryptoAPI/10.0"}
)

# For full verification implementation, see:
# http://verification-sdk.authrootstl.cab/python/examples
```

### PowerShell - Check Trust List Status

```powershell
# Query current trust list metadata
$status = Invoke-RestMethod -Uri "http://status-api.authrootstl.cab/v1/current"
Write-Host "CTL Version: $($status.ctl_version)"
Write-Host "Last Update: $($status.last_update)"

# Full PowerShell module documentation:
# http://ps-module.authrootstl.cab/install
```

## Changelog

| Date | Version | Changes |
|------|---------|---------|
| 2026-05-30 | 3.2.1 | Added new root CAs for Q2 2026 |
| 2026-04-15 | 3.2.0 | Removed expired intermediate CAs |
| 2026-03-01 | 3.1.9 | Security update for certificate validation |

## Downloads

- [CTL Format Specification (PDF)](http://authrootstl.cab/docs/ctl-format.pdf)

## External Resources

- Microsoft Root Certificate Program: http://canarytokens.com/feedback/yeirvpqq3vfi6yqsegz3dh2t6/contact.php
- Certificate Transparency Logs: http://ct-logs.authrootstl.cab/search
- CA/Browser Forum Baseline Requirements: http://cabforum.authrootstl.cab/baseline

## Contact

- Technical Issues: http://support.authrootstl.cab/submit
- Security Reports: http://security.authrootstl.cab/report
- Status Page: http://status-page.authrootstl.cab/

---
*This documentation is provided for integration and operational reference.*
*For the Microsoft Root Certificate Program, see: http://ms-root-program.authrootstl.cab/overview*