I found today,why? here is the pic

stexportcer.png1184×89 5.39 KB

Depending on the applied technology to establish a validated encrypted connection via HTTPS, Package Control needs to store the root certificates installed on your OS into a file.

On Windows PC uses the Windows API to establish HTTPS connections, which does not need that step, but on other OSs asncrypto library is used, which reads root certificates from files only. What you see is PC converting root certificates to a format the used SSL library can use.

Nothing harmful.

Nothing harmful.good, but My system is Win7,need this step too?

Package Control should use the oscrypto library on Windows, which uses windows API functions to handle encrypted connections and therefore shouldn’t need that step. I am running ST3154 with PC 3.3.0 and don’t see such messages. I found certificate files created by Package Control in my User package, but they are no longer used or recreated.

With that said, I guess your PC is not up to date or it can’t access the Windows encryption API for some reason and therefore falls back to another one. I am not very familiar with the requirements needed for a certain API to be used and the internal fallback mechanisms, but you could check for PC to be up to date.

Besides I use Win10 here. Did not check my Win7 business box for root certificate exports right now.

The urllib backend of Package Control uses the Python _ssl module, which is based on OpenSSL. To verify the certificate of a server, it needs a list of CA certs to create paths back to. Linux machines have these, in general, since most use OpenSSL in some form. On Mac and Windows machines, they have their own lists of CA certs in their own format. For Macs we always export the certs into the format for OpenSSL. On Windows by default we use the WinINet API for secure connections, which does not require a list of CA certs in a file. If that fails, we try to use the urllib backend, which does require exporting the certs.

CA certs are publicly available, and exporting a list has no security vulnerabilities. The only security issue would be allowing Package Control to add a CA cert to your system, which is not supported or implemented.