On Mon, Jun 15, 2009, Kyle Hamilton wrote: > These scripts pull the latest version of the Mozilla-approved CAs. > OpenSSL is not in the business of making CA certificates available, > but having the ability to do this in the stock package might be very > good for the users. (Make sure that such a tool warns the user that > the CA certificates are those made available by Mozilla, not the > OpenSSL team, and that there's no warranty from OpenSSL on their use > or misuse, such as not checking the hashes against the official > locations for each CA.) >
Under Windows it is possible to use the CryptoAPI ENGINE to dump the standard root store in PEM format using for example: openssl engine capi -t -post store_name:ROOT -post list_options:10 -post list_certs >bundle.pem Though this should be pruned to ensure no inappropriate CAs are included. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org