Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Can OpenSSL on Windows use the system certificate store?

Some working C++ code that I'm porting from Linux to Windows is failing on windows because SSL_get_verify_result() is returning X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.

The code was using SSL_CTX_set_default_verify_paths() on Linux to tell SSL to just look in the standard default locations for the certificate store.

Is it possible to get OpenSSL to use the system certificate store?

like image 522
dicroce Avatar asked Feb 29 '12 21:02

dicroce


People also ask

Where does OpenSSL store certificates on Windows?

For OpenSSL, you can run the command openssl version –a to find the folder where your key files would be saved (/usr/local/ssl by default). On Windows (IIS), the OS manages your CSRs for you.

How do I access certificate store in Windows?

To view certificates for the current userSelect Run from the Start menu, and then enter certmgr. msc. The Certificate Manager tool for the current user appears. To view your certificates, under Certificates - Current User in the left pane, expand the directory for the type of certificate you want to view.

Where is OpenSSL certificate stored?

OpenSSL certainly trusts certain certificates automatically: any which are found in the "Directory for OpenSSL files", in either a file named cert. pem or in the subdirectory certs/ .

Where does Windows Server store SSL certificates?

When you add Certificate Services on a Windows server and configure a CA, a certificate database is created. By default, the database is contained in the %SystemRoot%\System32\Certlog folder, and the name is based on the CA name with an .


2 Answers

I have done it earlier. Hope this helps, if this is exactly what you are looking for.

  1. Load your certificate (in PCCERT_CONTEXT structure) from Windows Cert store using Crypto APIs.
  2. Get encrypted content of it in binary format as it is. [PCCERT_CONTEXT->pbCertEncoded].
  3. Parse this binary buffer into X509 certificate Object using OpenSSL's d2i_X509() method.
  4. Get handle to OpenSSL's trust store using SSL_CTX_get_cert_store() method.
  5. Load above parsed X509 certificate into this trust store using X509_STORE_add_cert() method.
  6. You are done!
like image 126
Tushar Sudake Avatar answered Oct 09 '22 21:10

Tushar Sudake


For those of you still struggling with this as I have been, here is a sample code to get you started:

#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
#include <cryptuiapi.h>
#include <iostream>
#include <tchar.h>

#include "openssl\x509.h"

#pragma comment (lib, "crypt32.lib")
#pragma comment (lib, "cryptui.lib")

#define MY_ENCODING_TYPE  (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)

int main(void)
{
    HCERTSTORE hStore;
    PCCERT_CONTEXT pContext = NULL;
    X509 *x509;
    X509_STORE *store = X509_STORE_new();

    hStore = CertOpenSystemStore(NULL, L"ROOT");

    if (!hStore)
        return 1;

    while (pContext = CertEnumCertificatesInStore(hStore, pContext))
    {
        //uncomment the line below if you want to see the certificates as pop ups
        //CryptUIDlgViewContext(CERT_STORE_CERTIFICATE_CONTEXT, pContext,   NULL, NULL, 0, NULL);

        x509 = NULL;
        x509 = d2i_X509(NULL, (const unsigned char **)&pContext->pbCertEncoded, pContext->cbCertEncoded);
        if (x509)
        {
            int i = X509_STORE_add_cert(store, x509);

            if (i == 1)
                std::cout << "certificate added" << std::endl;

            X509_free(x509);
        }
    }

CertFreeCertificateContext(pContext);
CertCloseStore(hStore, 0);
system("pause");
return 0;

}
like image 29
Peter Avatar answered Oct 09 '22 21:10

Peter