Re: Using Windows system certficate store for server authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/09/2018 20:00, Viktor Dukhovni wrote:

On Sat, Sep 08, 2018 at 01:44:50PM +0000, Salz, Rich via openssl-users wrote:


OpenSSL does not use *any* certificate store, on any platform, it is up to the applications to do what they need.

More precisely, OpenSSL does not bundle any trusted certificates
with the upstream source.  OpenSSL does use $OPENSSLDIR/cert.pem
and $OPENSSL/certs/ as the default CAfile and CApath respectively
via the:

    SSL_CTX_set_default_verify_paths()

function.  These can also be specified via the SSL_CERT_FILE and
SSL_CERT_DIR environment variables.  Applications can specify
additional or alternative CAfile or CApath locations.

IIRC the upstream OpenSSL code does not include an interface to the
Windows Active Directory certificate store.  This may be available
from third parties.

Please note there is no "Active Directory certificate store" for
trusted CAs.

There are however at least 3 similarly named things:

- A per user/machine local CryptoAPI Certificate Store for trusted CAs,
 known intermediary CAs and known extra-bad certs (CA or EE).  This may
 or may not be accessible via the "capi" engine. Alternatively, a script
could be written in a Microsoft language (such as VBScript or
 PowerShell)to automatically keep an /etc/ssl/certs format copy of that
 data.

- An Active Directory certificate store describing mappings between
 trusted end entity certificates and kerberos accounts (such as
 "foo@xxxxxxxxxxxxxxx == specific cert, HTTP/baz.examplecom==some other
 cert).  This can be accessed via LDAP but would be wholy in the
 application domain from an OpenSSL perspective (e.g. an Apache mod_ssl
 config mapping client certs to accounts via LDAP).

- An Active Directory certificate store for Microsoft's Enterprise CA
 software.  This is wholy internal to that non-OpenSSL CA software,
 although some of that data (such as revocation checking) may be
 available via LDAP.

Rule of thumb: Active Directory ~ Microsoft LDAP Directory


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux