Thanks for your response. I did not know this functionality was in OpenSSL, so this may make my work much easier. I have two further questions:
1. Is there any documentation anywhere on this engine? All I've found is a few previous postings on this mailing list and a few others on how to configure the openssl utility to use it but not 3rd party applications. 2. If I'm building OpenSSL as a shared object (using the OpenSSL FIPS module), the ENGINE_load_capi function does not exist in either libeay32.lib or ssleay32.lib. I'm guessing it's in capi.dll but I have no idea how to load and use it through that interface. Graeme From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Jan Just Keijser Sent: Monday, October 07, 2013 10:38 AM To: openssl-dev@openssl.org Subject: Re: Using Windows certificate store through OpenSSL Perrow, Graeme wrote: I'd like to add the ability for my (client) application to use the Windows certificate store to verify a server's certificate during an SSL handshake. I've created a callback and set it using SSL_CTX_set_verify( ctx, SSL_VERIFY_PEER, mycallback ). Inside that callback, I can retrieve information about the server's certificate and can also enumerate through the certificates in the certificate store. But then what? Is there a way to tell OpenSSL "Please verify the server's certificate using this trusted certificate"? In the case when the client supplies the trusted certificate in advance, I can pass it to X509_STORE_add_cert before the handshake but can I do that *during* the handshake? Can I simply get the PEM / DER information for both certificates and memcpy them? wasn't support for this added via the crypto engine 'capieng' ? Rebuild openssl using ./config enable-capieng and use the CAPI engine. HTH, JJK