Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

OpenSSL reasonable default for trusted CA certificates?

Tags:

ssl

openssl

Is there a way to set up an OpenSSL context (SSL_CTX) with a reasonable set of trusted CA certificates without distributing them myself? I don't want the responsibility of keeping them up to date. IMO any modern operating system should provide "get me the trusted CA certs" as a service, but I don't know if that's actually the case.

I don't mind writing this code three times (once for Windows, once for Mac OS X, and once for Linux), but I'd prefer to cap it at that. In particular, I'd rather not try to write code that snoops around looking for what browsers are installed and trying to extract their trusted certificates. (Apparently it's easy to get this very wrong.)

The answer for recent versions of Linux seems to be to call SSL_CTX_load_verify_locations with /etc/ssl/certs/ca-certificates.crt (if that file exists).

Are there simple answers for Windows and Mac OS X?

like image 552
Ryan Culpepper Avatar asked Apr 10 '12 20:04

Ryan Culpepper


People also ask

What is CA OpenSSL?

DESCRIPTION. The ca command is a minimal CA application. It can be used to sign certificate requests in a variety of forms and generate CRLs it also maintains a text database of issued certificates and their status. The options descriptions will be divided into each purpose.

What is CA certificates conf?

The /etc/ca-certificates. conf configuration file specifies which certificates will be trusted by the system. This is done by specifying names of certificate files located in the /usr/share/ca-certificates/ directory. The specified certificate files will be included in the system CA store.


1 Answers

Here's what I ended up doing:

On Windows: get the certificates from the Windows "ROOT" certificate store using CertOpenSystemStore, loop over them using CertEnumCertificatesInStore, grab the X509-encoded raw certificate from the pbCertEncoded field of the CERT_CONTEXT, create an OpenSSL X509 structure using d2i_X509, and add it to the OpenSSL certificate store using X509_STORE_add_cert. The Windows functions are all available from crypt32.dll.

On Mac OS X: get the certificates from the "/System/Library/Keychains/SystemRootCertificates.keychain" keychain using SecKeychainOpen, create an iterator for the certificates in the keychain using SecKeychainSearchCreateFromAttributes, iterate using SecKeychainSearchCopyNext, get the raw X509 certificate using SecItemExport, create an OpenSSL certificate using d2i_X509, and add it to the OpenSSL store using X509_STORE_add_cert. The Mac functions are available from /Systems/Library/Frameworks/Security.framework/Security.

A better approach might be to create an OpenSSL X509_STORE with a callback that uses OS functions to verify an individual root cert, rather than copying all of them over, but I haven't tried that.

like image 175
Ryan Culpepper Avatar answered Nov 16 '22 02:11

Ryan Culpepper