Using OpenSSL with Windows cert store

Marko, Ladislav markolad at
Sun Apr 23 20:53:46 UTC 2023

Hi Pawel!

 I am quite new to OpenSSL on Windows and I did some research on the net to
solve my problem, but available knowledge seems to be limited.

I need to to develop TLS 1.2 application using OpenSSL 1.0.2 (FIPS compliant version)
on Windows platform. I have requirement that it should get certificates, keys and
CRLs from Windows cert store, and it should use TLS 1.2 EC-based suites.

Currently I’m developing a provider doing just that! But unfortunately, providers are OpenSSL 3.0.0 and up.

I have some knowledge about crypto, TLS and OpenSSL but Windows integration is quite new for me.
Correct me if I am wrong, but as far as I know there are, at least in theory, 2 ways
of doing this:

1) Get required cert/keys from Windows store using Windows API (Crypto API or CNG ?)
and loat it to OpenSSL. I generated self signed certs/keys and imported them into Windows MY store.
Getting certificates from there programmatically using WinAPI is quite easy and works (CertFindCertificateInStore, etc.),
but is it possible to retrieve also corresponding private keys ?
I see functions like CryptExportPKCS8Ex, but it seems they are marked as deprecated.
Is there any working example of retrieving specific key using it ?
Or perhaps it would b e easier to use CNG API to do it ?

You will find that exporting private keys is sometimes forbidden by the policy set on its import. So you’ll be only able to get a CNG handle of that key. The handle can later be used with CNG hashing and signing functions only. I’m not sure that capi engine does this.

As to selecting a specific key, I found out that with CNG the easiest non-deprecated way is enumerating them and selecting the key matching your criteria (public key match etc.).

2) Using OpenSSL directly with CryptoAPI engine (capi).
Setting capi engine I was able to sign and verify signatures using RSA certs/keys,
but it seems that CryptoAPI (and capi engine using it) does not support EC.
From a quick look at the CNG documentation ( it seems that ECDSA is supported, although to be fair I only experimented with RSA keys.

I’m writing this in a hurry, so take everyting with a grain of salt.

Ladislav Marko

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list