Using OpenSSL with Windows cert store
Pawel Frankowski
pwfran98 at wp.pl
Sun Apr 23 19:59:17 UTC 2023
Hi,
I am quite new to OpenSSL on Windows and I did some research on the
net to
solve my problem, but available knowledge seems to be limited.
I need to to develop TLS 1.2 application using OpenSSL 1.0.2 (FIPS
compliant version)
on Windows platform. I have requirement that it should get certificates,
keys and
CRLs from Windows cert store, and it should use TLS 1.2 EC-based suites.
I have some knowledge about crypto, TLS and OpenSSL but Windows
integration is quite new for me.
Correct me if I am wrong, but as far as I know there are, at least in
theory, 2 ways
of doing this:
1) Get required cert/keys from Windows store using Windows API (Crypto
API or CNG ?)
and loat it to OpenSSL. I generated self signed certs/keys and imported
them into Windows MY store.
Getting certificates from there programmatically using WinAPI is quite
easy and works (CertFindCertificateInStore, etc.),
but is it possible to retrieve also corresponding private keys ?
I see functions like CryptExportPKCS8Ex, but it seems they are marked as
deprecated.
Is there any working example of retrieving specific key using it ?
Or perhaps it would b e easier to use CNG API to do it ?
2) Using OpenSSL directly with CryptoAPI engine (capi).
Setting capi engine I was able to sign and verify signatures using RSA
certs/keys,
but it seems that CryptoAPI (and capi engine using it) does not support EC.
I realize that part of these questions are more Windows-related, but I
think
problem of using OpenSSL for modern TLS communication using Windows
store should be
known and well researched, but relevant information on the net is sparse.
Thanks a lot in advance for any help.
Best regards,
Pawel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230423/84edf7ca/attachment.htm>
More information about the openssl-users
mailing list