RE: CAPI and Private keys
So the string that the capi engine needs is a comma separated string of the entry values like what is returned by CertNameToStr with CERT_SIMPLE_NAME_STR type. The only problem the I seem to run into is when dealing with extended characters. CertNameToStr seems to output a correct looking string but the values I get from ASN1_STRING_data( X509_NAME_ENTRY_get_data(subject)), doesn't seem to display the characters correctly. The extended characters seem to come in as 2 character. This is probably and encoding issue so I tried using ASN1_STRING_to_UTF8 with no luck. Any ideas of what the difference may be? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, September 27, 2013 2:14 PM To: openssl-users@openssl.org Subject: RE: CAPI and Private keys My mistake. I was looking at Common Name, Organization Unit Name, Organization Name. I can definitely see collisions with this approach. If I want to make a more specific string to avoid any wrong certificates, what format should it be in for the capi engine to accept is. I've tried X509_NAME_oneline(X509_get_subject_name(m_pX509), buffer, sizeof(buffer)); But that doesn't work. Should it just be comma separated values or something like "SN=value,SN=value"? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, September 26, 2013 2:08 PM To: openssl-users@openssl.org Subject: Re: CAPI and Private keys On Thu, Sep 26, 2013, Fili, Tom wrote: > Hmmm...ok. Is it possible that in some cases passing the subject to > ENGINE_load_private_key is the incorrect thing to do? > > What I'm doing seems pretty simple but in some cases I get key/value mismatch > errors. > > I get the PCCERT_CONTEXT from the windows certificate store. > > Then do the following to get the X509 structure and the private key > > PCCERT_CONTEXT context; > ... > const unsigned char *pData = context->pbCertEncoded; > X509* pX509 = d2i_X509(0, &pData, context->cbCertEncoded); // Get > Subject if (X509_NAME* subject = X509_get_subject_name(pX509)) > { > for(int nid=0;nid<3;++nid) > { > X509_NAME_get_text_by_NID(subject, NIDs[nid], buffer, > sizeof(buffer)); > if( buffer[0] != '\0' ) > { > m_subject = buffer; > break; > } > } > } > EVP_PKEY *pkey = ENGINE_load_private_key(e, m_subject, 0, 0); > > Then I set the context to use the certificates > > int errCode = SSL_CTX_use_certificate(context, pX509); errCode = > SSL_CTX_use_PrivateKey(context, pkey); > > I don't seem to have any idea how there can be a mismatch. > You don't indicate what the "NIDs" array is. It's possible that there are multiple certificates matching the values you look up and ENGINE_load_private_key() just finds the first one which may not be the one you want. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: CAPI and Private keys
My mistake. I was looking at Common Name, Organization Unit Name, Organization Name. I can definitely see collisions with this approach. If I want to make a more specific string to avoid any wrong certificates, what format should it be in for the capi engine to accept is. I've tried X509_NAME_oneline(X509_get_subject_name(m_pX509), buffer, sizeof(buffer)); But that doesn't work. Should it just be comma separated values or something like "SN=value,SN=value"? -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, September 26, 2013 2:08 PM To: openssl-users@openssl.org Subject: Re: CAPI and Private keys On Thu, Sep 26, 2013, Fili, Tom wrote: > Hmmm...ok. Is it possible that in some cases passing the subject to > ENGINE_load_private_key is the incorrect thing to do? > > What I'm doing seems pretty simple but in some cases I get key/value mismatch > errors. > > I get the PCCERT_CONTEXT from the windows certificate store. > > Then do the following to get the X509 structure and the private key > > PCCERT_CONTEXT context; > ... > const unsigned char *pData = context->pbCertEncoded; > X509* pX509 = d2i_X509(0, &pData, context->cbCertEncoded); // Get > Subject if (X509_NAME* subject = X509_get_subject_name(pX509)) > { > for(int nid=0;nid<3;++nid) > { > X509_NAME_get_text_by_NID(subject, NIDs[nid], buffer, > sizeof(buffer)); > if( buffer[0] != '\0' ) > { > m_subject = buffer; > break; > } > } > } > EVP_PKEY *pkey = ENGINE_load_private_key(e, m_subject, 0, 0); > > Then I set the context to use the certificates > > int errCode = SSL_CTX_use_certificate(context, pX509); errCode = > SSL_CTX_use_PrivateKey(context, pkey); > > I don't seem to have any idea how there can be a mismatch. > You don't indicate what the "NIDs" array is. It's possible that there are multiple certificates matching the values you look up and ENGINE_load_private_key() just finds the first one which may not be the one you want. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: CAPI and Private keys
Hmmm...ok. Is it possible that in some cases passing the subject to ENGINE_load_private_key is the incorrect thing to do? What I'm doing seems pretty simple but in some cases I get key/value mismatch errors. I get the PCCERT_CONTEXT from the windows certificate store. Then do the following to get the X509 structure and the private key PCCERT_CONTEXT context; ... const unsigned char *pData = context->pbCertEncoded; X509* pX509 = d2i_X509(0, &pData, context->cbCertEncoded); // Get Subject if (X509_NAME* subject = X509_get_subject_name(pX509)) { for(int nid=0;nid<3;++nid) { X509_NAME_get_text_by_NID(subject, NIDs[nid], buffer, sizeof(buffer)); if( buffer[0] != '\0' ) { m_subject = buffer; break; } } } EVP_PKEY *pkey = ENGINE_load_private_key(e, m_subject, 0, 0); Then I set the context to use the certificates int errCode = SSL_CTX_use_certificate(context, pX509); errCode = SSL_CTX_use_PrivateKey(context, pkey); I don't seem to have any idea how there can be a mismatch. Thanks for all your help. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, September 26, 2013 6:53 AM To: openssl-users@openssl.org Subject: Re: CAPI and Private keys On Wed, Sep 25, 2013, Fili, Tom wrote: > I'm using the capi API to access certificates in the Windows Cert > Store. I'm using the following to get access to the private key > > EVP_PKEY *key = ENGINE_load_private_key(e, subject, 0, 0); > > This seems to work as far as I can tell. Even if the certificate requires a > password the OS prompts the user for it before it allows access. I've > recently run into some customers who don't get the dialog prompt and get a > "key value mismatch" error when it appears to be calling > SSL_CTX_use_PrivateKey. I don't have access to their machines, to do a full > debug session. > > I'm wondering if there is something that affects whether Windows displays the > prompts and if the correct way to do this would be to use > SSL_CTX_set_default_passwd_cb or specify a UI_METHOD to > ENGINE_load_private_key instead of depending on the OS for this. > > Does anyone have any experience in dealing with this? > The UI and password callback functions are not used with the CAPI ENGINE so setting them will have no effect. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
CAPI and Private keys
I'm using the capi API to access certificates in the Windows Cert Store. I'm using the following to get access to the private key EVP_PKEY *key = ENGINE_load_private_key(e, subject, 0, 0); This seems to work as far as I can tell. Even if the certificate requires a password the OS prompts the user for it before it allows access. I've recently run into some customers who don't get the dialog prompt and get a "key value mismatch" error when it appears to be calling SSL_CTX_use_PrivateKey. I don't have access to their machines, to do a full debug session. I'm wondering if there is something that affects whether Windows displays the prompts and if the correct way to do this would be to use SSL_CTX_set_default_passwd_cb or specify a UI_METHOD to ENGINE_load_private_key instead of depending on the OS for this. Does anyone have any experience in dealing with this? Thanks --Tom
RE: Help with client certificates
That is very helpful. So it looks like there are 2 options, either selecting the first certificate or using the dialog. If looks like there is a callback (client_cert_select) on the CAPI_CTX, which you can get from ENGINE_get_ex_data if you know the index (which seems to be static to the e_capi.c file). Is there an clean way to what I want or do I have to hack it and look at the engine->ex_data->sk and make a guess at it? Thomas Fili -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, July 26, 2012 6:42 PM To: openssl-users@openssl.org Subject: Re: Help with client certificates On Wed, Jul 25, 2012, Fili, Tom wrote: > I'm trying to setup my application to allow for the use of client > certificates. I am using the capi engine to pull from the Windows store. > > I setup my ssl connection and it works fine if I set the correct > certificate using SSL_CTX_use_certificate_ASN1 & > ENGINE_load_private_key. > > >From what I've read, in the SSL handshake where client certificates > >are > required, the server actually sends back a list of CAs that it accepts. > Is there something I can do after SSL_do_handshake or something I can > do in place of it to get that list of CAs, so I can filter the list I > display to the user (similar to the certificate dialogs you see in a > browser). > There is an automatic client certificate selection feature in the capi ENGINE. You just pass the ENGINE parameter to SSL_CTX_set_client_cert_engine. If OpenSSL is compiled with the OPENSSL_CAPIENG_DIALOG it will also display a dialog box. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Filtering client certificates
I need to figure out which client certificates are issued by valid CAs (according to the server). I set a callback with SSL_CTX_set_client_cert_cb In the callback I get the list of CAs from the server with STACK_OF(X509_NAME) *pX509Names = SSL_get_client_CA_list(ssl) Now I have a list of certificates from the window certificate store (I can get them into an X509 structure). How can I check which of these certs are from one of the server approved CAs? I'm thinking I can call SSL_CTX_set_client_CA_list(sslCtx, pX509Names), but I don't know where to go after that to verify them. I'm a bit of a novice at this stuff, so any help would be appreciated. Thanks. Thomas Fili
Help with client certificates
I'm trying to setup my application to allow for the use of client certificates. I am using the capi engine to pull from the Windows store. I setup my ssl connection and it works fine if I set the correct certificate using SSL_CTX_use_certificate_ASN1 & ENGINE_load_private_key. >From what I've read, in the SSL handshake where client certificates are required, the server actually sends back a list of CAs that it accepts. Is there something I can do after SSL_do_handshake or something I can do in place of it to get that list of CAs, so I can filter the list I display to the user (similar to the certificate dialogs you see in a browser). Thanks for your help --Tom __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Clearing a certificate
I set an SSL certificate by using SSL_CTX_use_certificate_ASN1 and SSL_CTX_use_PrivateKey. Then in certain cases I need to clear the certificate and go back to the default. Right now I destroy the context with SSL_CTX_free and create a new one. This causes a crash which looks like memory corruption. Is there something else I need to do? I'm using OpenSSL through POCO, so the memory corruption may be coming from that as well? Is there a way to clear the certificate and set it back to the default without creating a new context? Thomas Fili 3D Software Engineer Analytical Graphics, Inc. Phone: 610.981.8184 Fax: 610.981.8001 http://www.insight3d.com http://www.agi.com Get AGI software training right from your desk via new computer-based training: www.agi.com/training
RE: Private Key from Windows Cert Store
Ok, I look to have got it working. Using SSL_CTX_set_default_verify_paths after registering the engine worked as desired. Also SSL_CTX_use_certificate_ASN1 with cbCertEncoded and pbCertEncoded from the CERT_CONTEXT seemed to work as well. Thanks for all your help. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, December 03, 2010 3:48 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Ok, I got it loading. Thanks. I'm still have an issue, which would stem from my lack of understanding of OpenSSL. This seems to succeed in giving me the private key. ENGINE_load_builtin_engines(); if( ENGINE *e = ENGINE_by_id("capi") ) { if( ENGINE_init(e) ) { ENGINE_register_complete(e); EVP_PKEY *privateKey = ENGINE_load_private_key(e, certificate.Subject().c_str(), 0, 0); SSL_CTX_use_PrivateKey(pContext, privateKey); ENGINE_finish(e); ENGINE_free(e); } } Now I need to make the equivalent call for SSL_CTX_use_certificate_file which I'm guessing is SSL_CTX_use_certificate and I get the cert from ENGINE_load_ssl_client_cert. I'm a little unclear on what to pass into ENGINE_load_ssl_client_cert. Also, will SSL_CTX_set_default_verify_paths use the CA certs from the Windows store or is there another engine call I have to make? Again, thanks. You have been so helpful. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, December 03, 2010 12:27 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Fri, Dec 03, 2010, Fili, Tom wrote: > I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there > something I'm missing in the build process that I need to change to get > the engines to compiled in. From what I've read it looks like it builds > these engines into the openssl dlls. > > The following returns still NULL for me. > > ENGINE_load_builtin_engines(); > ENGINE *e = ENGINE_by_id("capi"); > The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
Ok, I got it loading. Thanks. I'm still have an issue, which would stem from my lack of understanding of OpenSSL. This seems to succeed in giving me the private key. ENGINE_load_builtin_engines(); if( ENGINE *e = ENGINE_by_id("capi") ) { if( ENGINE_init(e) ) { ENGINE_register_complete(e); EVP_PKEY *privateKey = ENGINE_load_private_key(e, certificate.Subject().c_str(), 0, 0); SSL_CTX_use_PrivateKey(pContext, privateKey); ENGINE_finish(e); ENGINE_free(e); } } Now I need to make the equivalent call for SSL_CTX_use_certificate_file which I'm guessing is SSL_CTX_use_certificate and I get the cert from ENGINE_load_ssl_client_cert. I'm a little unclear on what to pass into ENGINE_load_ssl_client_cert. Also, will SSL_CTX_set_default_verify_paths use the CA certs from the Windows store or is there another engine call I have to make? Again, thanks. You have been so helpful. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, December 03, 2010 12:27 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Fri, Dec 03, 2010, Fili, Tom wrote: > I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there > something I'm missing in the build process that I need to change to get > the engines to compiled in. From what I've read it looks like it builds > these engines into the openssl dlls. > > The following returns still NULL for me. > > ENGINE_load_builtin_engines(); > ENGINE *e = ENGINE_by_id("capi"); > The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
l symbol _EVP_PKEY_free referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_assign referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_new referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _BN_bin2bn referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_set_ex_data referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_new_method referenced in function _ibm_4758_load_privkey out32dll.dbg\4758cca.dll : fatal error LNK1120: 43 unresolved externals NMAKE : fatal error U1077: '"C:\Program Files\Microsoft Visual Studio 9.0\VC\BIN \link.EXE"' : return code '0x460' Stop. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, December 03, 2010 12:01 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id("capi"); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, November 30, 2010 11:49 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Tue, Nov 30, 2010, Fili, Tom wrote: > Thanks, but I was more looking for docs on the interop of OpenSSL and > the Crypto API. I got pretty most info from the capi that I needed > except the private key, which from what I've read may not always be > exportable anyway. I was looking for how to call the following functions > with a location in the store, instead of a file. > > SSL_CTX_load_verify_locations > SSL_CTX_use_PrivateKey_file > SSL_CTX_use_certificate_chain_file > > or replacement functions that need to be called instead. > > Also, I'm having issues compiling with capi engine support. The engine > doesn't appear to load as I get NULL from ENGINE_by_id("capi"); > When you build OpenSSL it should produce a capi.dll file which needs to be installed in an appopriate place: where depends on how you've configured OpenSSL. Do you want to use the private key for client authentication? If so there is an automatic certificate selection process which may help. Otherwise you call ENGINE_load_privatekey(engine, id, NULL, NULL); then pass the EVP_PKEY structure to SSL_CTX_use_PrivateKey(). Where id is (by default) a string passed to CertFindCertificateInStore(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id("capi"); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, November 30, 2010 11:49 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Tue, Nov 30, 2010, Fili, Tom wrote: > Thanks, but I was more looking for docs on the interop of OpenSSL and > the Crypto API. I got pretty most info from the capi that I needed > except the private key, which from what I've read may not always be > exportable anyway. I was looking for how to call the following functions > with a location in the store, instead of a file. > > SSL_CTX_load_verify_locations > SSL_CTX_use_PrivateKey_file > SSL_CTX_use_certificate_chain_file > > or replacement functions that need to be called instead. > > Also, I'm having issues compiling with capi engine support. The engine > doesn't appear to load as I get NULL from ENGINE_by_id("capi"); > When you build OpenSSL it should produce a capi.dll file which needs to be installed in an appopriate place: where depends on how you've configured OpenSSL. Do you want to use the private key for client authentication? If so there is an automatic certificate selection process which may help. Otherwise you call ENGINE_load_privatekey(engine, id, NULL, NULL); then pass the EVP_PKEY structure to SSL_CTX_use_PrivateKey(). Where id is (by default) a string passed to CertFindCertificateInStore(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id("capi"); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Stef Hoeben Sent: Sunday, November 28, 2010 12:58 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Hi Tom, here's the code of a little cmd line tool we use to test our CSPs. Cheers, Stef > -Original Message- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Fili, Tom > Sent: zondag 28 november 2010 18:19 > To: openssl-users@openssl.org > Subject: RE: Private Key from Windows Cert Store > > Is there a place that has some docs or examples of the capi API? I've > looked around, but haven't found any good source for these. > > Tom Fili > Software Engineer > Analytical Graphics Inc. > > > > -Original Message- > From: owner-openssl-us...@openssl.org on behalf of So Gerald > Sent: Fri 11/26/2010 4:35 AM > To: openssl-users@openssl.org > Subject: Re: Private Key from Windows Cert Store > > I think you may use the CAPI engine instead. > > 2010/11/24 Fili, Tom > > > I'm trying to load a private key file of a personal cert from a key > file > > and load it like so: > > > > SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, > SSL_FILETYPE_PEM) > > > > However the certificate is in the Windows Certificate Store. I'm > trying to > > write it out to a PEM file, but I'm not quite sure how to get the > data that > > goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY--- > --. > > > > For the certificate pem file I can just base64 encode pbCertEncoded > from > > the CERT_CONTEXT, but not idea what to do for the private key. I've > tried so > > many things but all are incorrect. I've exported the file from the > MMC > > snap-in and used OpenSSL to convert it to a pem file and that works, > but I > > have no idea how to get that info programmatically. > > > > Any help would be appreciated. > > > > Tom Fili > > Software Engineer > > Analytical Graphics Inc. > > > > >
RE: Private Key from Windows Cert Store
Is there a place that has some docs or examples of the capi API? I've looked around, but haven't found any good source for these. Tom Fili Software Engineer Analytical Graphics Inc. -Original Message- From: owner-openssl-us...@openssl.org on behalf of So Gerald Sent: Fri 11/26/2010 4:35 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom > I'm trying to load a private key file of a personal cert from a key file > and load it like so: > > SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) > > However the certificate is in the Windows Certificate Store. I'm trying to > write it out to a PEM file, but I'm not quite sure how to get the data that > goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY-. > > For the certificate pem file I can just base64 encode pbCertEncoded from > the CERT_CONTEXT, but not idea what to do for the private key. I've tried so > many things but all are incorrect. I've exported the file from the MMC > snap-in and used OpenSSL to convert it to a pem file and that works, but I > have no idea how to get that info programmatically. > > Any help would be appreciated. > > Tom Fili > Software Engineer > Analytical Graphics Inc. > > <>
Private Key from Windows Cert Store
I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY-. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc.