Can OpenSSL on Windows use the system certificate store?
I have done it earlier.Hope this helps, if this is exactly what you are looking for.
- Load your certificate (in
PCCERT_CONTEXT
structure) from Windows Cert store using Crypto APIs. - Get encrypted content of it in binary format as it is. [
PCCERT_CONTEXT->pbCertEncoded
]. - Parse this binary buffer into X509 certificate Object using OpenSSL's
d2i_X509()
method. - Get handle to OpenSSL's trust store using
SSL_CTX_get_cert_store()
method. - Load above parsed X509 certificate into this trust store using
X509_STORE_add_cert()
method. - You are done!
For those of you still struggling with this as I have been, here is a sample code to get you started:
#include <stdio.h>#include <windows.h>#include <wincrypt.h>#include <cryptuiapi.h>#include <iostream>#include <tchar.h>#include "openssl\x509.h"#pragma comment (lib, "crypt32.lib")#pragma comment (lib, "cryptui.lib")#define MY_ENCODING_TYPE (PKCS_7_ASN_ENCODING | X509_ASN_ENCODING)int main(void){ HCERTSTORE hStore; PCCERT_CONTEXT pContext = NULL; X509 *x509; X509_STORE *store = X509_STORE_new(); hStore = CertOpenSystemStore(NULL, L"ROOT"); if (!hStore) return 1; while (pContext = CertEnumCertificatesInStore(hStore, pContext)) { //uncomment the line below if you want to see the certificates as pop ups //CryptUIDlgViewContext(CERT_STORE_CERTIFICATE_CONTEXT, pContext, NULL, NULL, 0, NULL); x509 = NULL; x509 = d2i_X509(NULL, (const unsigned char **)&pContext->pbCertEncoded, pContext->cbCertEncoded); if (x509) { int i = X509_STORE_add_cert(store, x509); if (i == 1) std::cout << "certificate added" << std::endl; X509_free(x509); } }CertFreeCertificateContext(pContext);CertCloseStore(hStore, 0);system("pause");return 0;}
No. Not out of the box.
No it is not possible out of the box. It would require additional programming. With OpenSSL you have two (out of the box) options:
- Use OpenSSL's own cert store (it is a hierarchy of directories created by perl script provided with OpenSSL)
- Use only a certificate chain file created by you (it is a text file with all PEM-encoded certificates in a chain of trust). Creating such a file is easy (just appending it)