Using Windows system certficate store for server authentication

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Using Windows system certficate store for server authentication

Juan Isoza

It's a good idea using openssl under windows (with new openssl 1.1.1, we will be able to use TLS 1.3 under Windows, from 7/2008 to 10/2016) instead internal windows crypto..

But, by example, curl build for windows with openssl need a --insecure parameters or a custom root certificate file.

What about using the Windows certificate store ?

I found info at

There is some code in openssl (in engines\e_capi.c) which deal with Windows certificate store, but this seem not solve the problem

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows system certficate store for server authentication

d3x0r


On Fri, Sep 7, 2018 at 11:55 PM Juan Isoza <[hidden email]> wrote:

It's a good idea using openssl under windows (with new openssl 1.1.1, we will be able to use TLS 1.3 under Windows, from 7/2008 to 10/2016) instead internal windows crypto..

But, by example, curl build for windows with openssl need a --insecure parameters or a custom root certificate file.

What about using the Windows certificate store ?
Loading the windows cert store isn't very hard....

But checking; I Guess that's just the code from that stack overflow.  basically verbatim.
 


There is some code in openssl (in engines\e_capi.c) which deal with Windows certificate store, but this seem not solve the problem
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows system certficate store for server authentication

OpenSSL - User mailing list
In reply to this post by Juan Isoza

OpenSSL does not use *any* certificate store, on any platform, it is up to the applications to do what they need.

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows system certficate store for server authentication

Viktor Dukhovni
On Sat, Sep 08, 2018 at 01:44:50PM +0000, Salz, Rich via openssl-users wrote:

> OpenSSL does not use *any* certificate store, on any platform, it is up to the applications to do what they need.

More precisely, OpenSSL does not bundle any trusted certificates
with the upstream source.  OpenSSL does use $OPENSSLDIR/cert.pem
and $OPENSSL/certs/ as the default CAfile and CApath respectively
via the:

   SSL_CTX_set_default_verify_paths()

function.  These can also be specified via the SSL_CERT_FILE and
SSL_CERT_DIR environment variables.  Applications can specify
additional or alternative CAfile or CApath locations.

IIRC the upstream OpenSSL code does not include an interface to the
Windows Active Directory certificate store.  This may be available
from third parties.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Using Windows system certficate store for server authentication

Jakob Bohm-7
On 08/09/2018 20:00, Viktor Dukhovni wrote:

> On Sat, Sep 08, 2018 at 01:44:50PM +0000, Salz, Rich via openssl-users wrote:
>
>> OpenSSL does not use *any* certificate store, on any platform, it is up to the applications to do what they need.
> More precisely, OpenSSL does not bundle any trusted certificates
> with the upstream source.  OpenSSL does use $OPENSSLDIR/cert.pem
> and $OPENSSL/certs/ as the default CAfile and CApath respectively
> via the:
>
>     SSL_CTX_set_default_verify_paths()
>
> function.  These can also be specified via the SSL_CERT_FILE and
> SSL_CERT_DIR environment variables.  Applications can specify
> additional or alternative CAfile or CApath locations.
>
> IIRC the upstream OpenSSL code does not include an interface to the
> Windows Active Directory certificate store.  This may be available
> from third parties.
Please note there is no "Active Directory certificate store" for
trusted CAs.

There are however at least 3 similarly named things:

- A per user/machine local CryptoAPI Certificate Store for trusted CAs,
  known intermediary CAs and known extra-bad certs (CA or EE).  This may
  or may not be accessible via the "capi" engine. Alternatively, a script
could be written in a Microsoft language (such as VBScript or
  PowerShell)to automatically keep an /etc/ssl/certs format copy of that
  data.

- An Active Directory certificate store describing mappings between
  trusted end entity certificates and kerberos accounts (such as
  "[hidden email] == specific cert, HTTP/baz.examplecom==some other
  cert).  This can be accessed via LDAP but would be wholy in the
  application domain from an OpenSSL perspective (e.g. an Apache mod_ssl
  config mapping client certs to accounts via LDAP).

- An Active Directory certificate store for Microsoft's Enterprise CA
  software.  This is wholy internal to that non-OpenSSL CA software,
  although some of that data (such as revocation checking) may be
  available via LDAP.

Rule of thumb: Active Directory ~ Microsoft LDAP Directory


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users