Using OpenSSL with Windows cert store

Pawel Frankowski pwfran98 at
Sun Apr 23 19:59:17 UTC 2023


  I am quite new to OpenSSL on Windows and I did some research on the 
net to
solve my problem, but available knowledge seems to be limited.

I need to to develop TLS 1.2 application using OpenSSL 1.0.2 (FIPS 
compliant version)
on Windows platform. I have requirement that it should get certificates, 
keys and
CRLs from Windows cert store, and it should use TLS 1.2 EC-based suites.

I have some knowledge about crypto, TLS and OpenSSL but Windows 
integration is quite new for me.
Correct me if I am wrong, but as far as I know there are, at least in 
theory, 2 ways
of doing this:

1) Get required cert/keys from Windows store using Windows API (Crypto 
API or CNG ?)
and loat it to OpenSSL. I generated self signed certs/keys and imported 
them into Windows MY store.
Getting certificates from there programmatically using WinAPI is quite 
easy and works (CertFindCertificateInStore, etc.),
but is it possible to retrieve also corresponding private keys ?
I see functions like CryptExportPKCS8Ex, but it seems they are marked as 
Is there any working example of retrieving specific key using it ?
Or perhaps it would b e easier to use CNG API to do it ?

2) Using OpenSSL directly with CryptoAPI engine (capi).
Setting capi engine I was able to sign and verify signatures using RSA 
but it seems that CryptoAPI (and capi engine using it) does not support EC.

I realize that part of these questions are more  Windows-related, but I 
problem of using OpenSSL for modern TLS communication using Windows 
store should be
known and well researched, but relevant information on the net is sparse.

Thanks a lot in advance for any help.

Best regards,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list