[openssl-users] Using Windows system certficate store for server authentication

Jakob Bohm jb-openssl at wisemo.com
Mon Sep 10 11:41:41 UTC 2018

On 08/09/2018 20:00, Viktor Dukhovni wrote:
> On Sat, Sep 08, 2018 at 01:44:50PM +0000, Salz, Rich via openssl-users wrote:
>> OpenSSL does not use *any* certificate store, on any platform, it is up to the applications to do what they need.
> More precisely, OpenSSL does not bundle any trusted certificates
> with the upstream source.  OpenSSL does use $OPENSSLDIR/cert.pem
> and $OPENSSL/certs/ as the default CAfile and CApath respectively
> via the:
>     SSL_CTX_set_default_verify_paths()
> function.  These can also be specified via the SSL_CERT_FILE and
> SSL_CERT_DIR environment variables.  Applications can specify
> additional or alternative CAfile or CApath locations.
> IIRC the upstream OpenSSL code does not include an interface to the
> Windows Active Directory certificate store.  This may be available
> from third parties.
Please note there is no "Active Directory certificate store" for
trusted CAs.

There are however at least 3 similarly named things:

- A per user/machine local CryptoAPI Certificate Store for trusted CAs,
  known intermediary CAs and known extra-bad certs (CA or EE).  This may
  or may not be accessible via the "capi" engine. Alternatively, a script
could be written in a Microsoft language (such as VBScript or
  PowerShell)to automatically keep an /etc/ssl/certs format copy of that

- An Active Directory certificate store describing mappings between
  trusted end entity certificates and kerberos accounts (such as
  "foo at bar.example.com == specific cert, HTTP/baz.examplecom==some other
  cert).  This can be accessed via LDAP but would be wholy in the
  application domain from an OpenSSL perspective (e.g. an Apache mod_ssl
  config mapping client certs to accounts via LDAP).

- An Active Directory certificate store for Microsoft's Enterprise CA
  software.  This is wholy internal to that non-OpenSSL CA software,
  although some of that data (such as revocation checking) may be
  available via LDAP.

Rule of thumb: Active Directory ~ Microsoft LDAP Directory


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list