[openssl-users] Using Windows system certficate store for server authentication
Jakob Bohm
jb-openssl at wisemo.com
Mon Sep 10 11:41:41 UTC 2018
On 08/09/2018 20:00, Viktor Dukhovni wrote:
> On Sat, Sep 08, 2018 at 01:44:50PM +0000, Salz, Rich via openssl-users wrote:
>
>> OpenSSL does not use *any* certificate store, on any platform, it is up to the applications to do what they need.
> More precisely, OpenSSL does not bundle any trusted certificates
> with the upstream source. OpenSSL does use $OPENSSLDIR/cert.pem
> and $OPENSSL/certs/ as the default CAfile and CApath respectively
> via the:
>
> SSL_CTX_set_default_verify_paths()
>
> function. These can also be specified via the SSL_CERT_FILE and
> SSL_CERT_DIR environment variables. Applications can specify
> additional or alternative CAfile or CApath locations.
>
> IIRC the upstream OpenSSL code does not include an interface to the
> Windows Active Directory certificate store. This may be available
> from third parties.
Please note there is no "Active Directory certificate store" for
trusted CAs.
There are however at least 3 similarly named things:
- A per user/machine local CryptoAPI Certificate Store for trusted CAs,
known intermediary CAs and known extra-bad certs (CA or EE). This may
or may not be accessible via the "capi" engine. Alternatively, a script
could be written in a Microsoft language (such as VBScript or
PowerShell)to automatically keep an /etc/ssl/certs format copy of that
data.
- An Active Directory certificate store describing mappings between
trusted end entity certificates and kerberos accounts (such as
"foo at bar.example.com == specific cert, HTTP/baz.examplecom==some other
cert). This can be accessed via LDAP but would be wholy in the
application domain from an OpenSSL perspective (e.g. an Apache mod_ssl
config mapping client certs to accounts via LDAP).
- An Active Directory certificate store for Microsoft's Enterprise CA
software. This is wholy internal to that non-OpenSSL CA software,
although some of that data (such as revocation checking) may be
available via LDAP.
Rule of thumb: Active Directory ~ Microsoft LDAP Directory
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list