[openssl-dev] Windows system cert store
Dr. Stephen Henson
steve at openssl.org
Fri Jul 14 23:24:55 UTC 2017
On Thu, Jul 13, 2017, Matthew Stickney wrote:
>
> You may have been looking at a different version of IE than what I've
> got on my Windows 7 VM, but at least here IE doesn't allow you to set
> certificate purposes: it has a dialog that looks just like that (under
> the "Advanced" button in the certificate list), but that's only used
> to select the set of usages you want to display if you choose
> "<Advanced Purposes>" in the "Intended Purpose" dropdown at the top
> (it's effectively just a customizable display filter).
>
It's been a while since I looked at it yes. IIRC before when you selected
a root (or other) certificate under the Details tab you could select "Edit
Properties..." now the box is greyed out unless you run as administrator
or select a user added certificate.
> I've been reading through OpenSSL's verification code a bit, and from
> what I'm seeing it looks like purposes could be set for an existing
> certificate by setting the appropriate bits in the ex_kusage or
> ex_xkusage fields, at least for standard usages. Is that right?
>
No those are just caches of the contents of the key usage and extended key
usage extensions. The function you need to call is X509_add1_trust_object()
for each trust setting. You could also call X509_alias_set1 to set the
friendly name of the certificate.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list