OpenSSL CNG engine on GitHub

David von Oheimb dev at
Fri Jul 2 09:56:05 UTC 2021

Hello Reinier,

around five years back I was looking for such an implementation as an
alternative to the rather limited CAPI engine, mostly because the
C(rypto )API does not support ECC.
The only thing I found at that time was and
I do not know how it evolved since them.
So I am very pleased to see that meanwhile there is a way of using core
features of Windows CAPI Next Generation (CNG) from OpenSSL.

Many thanks to RTI for providing this as open-source development under
the Apache license.
I currently do not have the time for a closer look or even trying it
out, but this looks very good and well documented.
In particular,
gives a nice example how to use the Windows cert & key store.
Porting this to the new OpenSSL crypto provider interface will likely
lift the limitation regarding RSA-PSS support, which lacks just due to
the engine interface.



On 01.07.21 19:49, Reinier Torenbeek wrote:
> Hi,
> For anyone interested in leveraging Windows CNG with OpenSSL 1.1.1,
> you may want to check out this new OpenSSL CNG Engine project on
> GitHub: . The
> associated User's Manual is on
> ReadTheDocs:
> .
> The project implements the majority of the EVP interface, to leverage
> the BCrypt crypto implementations, as well as a subset of the STORE
> interface, for integration with the Windows Certificate and
> Keystore(s), via the NCrypt and Cert APIs. It has been tested with
> 1.1.1k on Windows 10, with Visual Studio 2017 and 2019. It is released
> under the Apache-2.0 license.
> Any feedback is welcome, please send it to me or open an issue on GitHub.
> Best regards,
> Reinier
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list