On Fri, Mar 03, 2006 at 08:12:41AM +0000, Mike McEwen wrote: > >I want my application to trust certificates sign by the major CAs out > >there. Does anyone know of a way to hook up to the place where > >Windows stores its list of CAs? Or maybe just a place where I can > >download the keys of the standard CAs (like Verisign, Thawte...). Is > >there such thing as standard list or does everyone just come up with a > >bunch of CAs they like? > > If your application is running on windows you can dynamically access the > windows certificate store, see: > > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/seccrypto/security/certopensystemstore.asp
Or you can use the 'certutil.exe' tool, available as part of the Windows 2003 Admin Pak (which also installs directly onto Windows 2000, and runs under XP if you copy the appropriate bits across) http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/advcert.mspx certutil -store root # list them certutil -viewstore root # GUI display The store called 'root' is the set of trusted self-signed root certificates, and store 'ca' is the set of known intermediate CA's. Store 'my' is your machine's own certificates. certutil -split -store root dumps them all out into separate files, e.g. Blob99_0.crt - these are DER but you can turn them into PEM easily enough. certutil -dump Blob99_0.crt decodes the certificate structure for display. Alternatively, if you just want a set of root certificates, then openssl itself comes with some - see the 'certs' subdirectory of the openssl source bundle. Of course, you'd be wise to establish an appropriate degree of trust in each one individually. Regards, Brian. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
