Windows certificate authorities list?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Windows certificate authorities list?

Mikhail Kruk-2
Hello,
I want my application to trust certificates sign by the major CAs out
there.  Does anyone know of a way to hook up to the place where Windows
stores its list of CAs?  Or maybe just a place where I can download the
keys of the standard CAs (like Verisign, Thawte...).  Is there such thing
as standard list or does everyone just come up with a bunch of CAs they
like?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Windows certificate authorities list?

Dr. Stephen Henson
On Thu, Mar 02, 2006, Mikhail Kruk wrote:

> Hello,
> I want my application to trust certificates sign by the major CAs out
> there.  Does anyone know of a way to hook up to the place where Windows
> stores its list of CAs?  Or maybe just a place where I can download the
> keys of the standard CAs (like Verisign, Thawte...).  Is there such thing
> as standard list or does everyone just come up with a bunch of CAs they
> like?

You can export the root CA list in MSIE into a PKCS#7 structure. Then OpenSSL
can be used to convert that into a list of trusted CAs it can use.

Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Windows certificate authorities list?

Mike McEwen
In reply to this post by Mikhail Kruk-2
Mikhail Kruk wrote:

> Hello,
> I want my application to trust certificates sign by the major CAs out
> there.  Does anyone know of a way to hook up to the place where
> Windows stores its list of CAs?  Or maybe just a place where I can
> download the keys of the standard CAs (like Verisign, Thawte...).  Is
> there such thing as standard list or does everyone just come up with a
> bunch of CAs they like?

If your application is running on windows you can dynamically access the
windows certificate store, see:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/certopensystemstore.asp

Or, as Dr Henson suggests, if you want the certificates built in to your
application you can export them from MSIE.

 - Mike McEwen
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Windows certificate authorities list?

Brian Candler
On Fri, Mar 03, 2006 at 08:12:41AM +0000, Mike McEwen wrote:

> >I want my application to trust certificates sign by the major CAs out
> >there.  Does anyone know of a way to hook up to the place where
> >Windows stores its list of CAs?  Or maybe just a place where I can
> >download the keys of the standard CAs (like Verisign, Thawte...).  Is
> >there such thing as standard list or does everyone just come up with a
> >bunch of CAs they like?
>
> If your application is running on windows you can dynamically access the
> windows certificate store, see:
>
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/certopensystemstore.asp

Or you can use the 'certutil.exe' tool, available as part of the Windows
2003 Admin Pak (which also installs directly onto Windows 2000, and runs
under XP if you copy the appropriate bits across)

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx

  certutil -store root           # list them
  certutil -viewstore root       # GUI display

The store called 'root' is the set of trusted self-signed root certificates,
and store 'ca' is the set of known intermediate CA's. Store 'my' is your
machine's own certificates.

  certutil -split -store root

dumps them all out into separate files, e.g. Blob99_0.crt - these are DER
but you can turn them into PEM easily enough.

  certutil -dump Blob99_0.crt

decodes the certificate structure for display.

Alternatively, if you just want a set of root certificates, then openssl
itself comes with some - see the 'certs' subdirectory of the openssl source
bundle. Of course, you'd be wise to establish an appropriate degree of trust
in each one individually.

Regards,

Brian.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]