Re: Private Key from Windows Cert Store
Fili, can you please share the snippet for this, I am still not able to get this to work. It keep on giving error. On Wed, Dec 8, 2010 at 9:57 AM, Fili, Tom tf...@agi.com wrote: Ok, I look to have got it working. Using SSL_CTX_set_default_verify_paths after registering the engine worked as desired. Also SSL_CTX_use_certificate_ASN1 with cbCertEncoded and pbCertEncoded from the CERT_CONTEXT seemed to work as well. Thanks for all your help. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, December 03, 2010 3:48 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Ok, I got it loading. Thanks. I'm still have an issue, which would stem from my lack of understanding of OpenSSL. This seems to succeed in giving me the private key. ENGINE_load_builtin_engines(); if( ENGINE *e = ENGINE_by_id(capi) ) { if( ENGINE_init(e) ) { ENGINE_register_complete(e); EVP_PKEY *privateKey = ENGINE_load_private_key(e, certificate.Subject().c_str(), 0, 0); SSL_CTX_use_PrivateKey(pContext, privateKey); ENGINE_finish(e); ENGINE_free(e); } } Now I need to make the equivalent call for SSL_CTX_use_certificate_file which I'm guessing is SSL_CTX_use_certificate and I get the cert from ENGINE_load_ssl_client_cert. I'm a little unclear on what to pass into ENGINE_load_ssl_client_cert. Also, will SSL_CTX_set_default_verify_paths use the CA certs from the Windows store or is there another engine call I have to make? Again, thanks. You have been so helpful. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, December 03, 2010 12:27 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Fri, Dec 03, 2010, Fili, Tom wrote: I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Private Key from Windows Cert Store
I am using the same method, i am not able to load private key. On Fri, Dec 3, 2010 at 2:47 PM, Fili, Tom tf...@agi.com wrote: Ok, I got it loading. Thanks. I'm still have an issue, which would stem from my lack of understanding of OpenSSL. This seems to succeed in giving me the private key. ENGINE_load_builtin_engines(); if( ENGINE *e = ENGINE_by_id(capi) ) { if( ENGINE_init(e) ) { ENGINE_register_complete(e); EVP_PKEY *privateKey = ENGINE_load_private_key(e, certificate.Subject().c_str(), 0, 0); SSL_CTX_use_PrivateKey(pContext, privateKey); ENGINE_finish(e); ENGINE_free(e); } } Now I need to make the equivalent call for SSL_CTX_use_certificate_file which I'm guessing is SSL_CTX_use_certificate and I get the cert from ENGINE_load_ssl_client_cert. I'm a little unclear on what to pass into ENGINE_load_ssl_client_cert. Also, will SSL_CTX_set_default_verify_paths use the CA certs from the Windows store or is there another engine call I have to make? Again, thanks. You have been so helpful. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, December 03, 2010 12:27 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Fri, Dec 03, 2010, Fili, Tom wrote: I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
Ok, I look to have got it working. Using SSL_CTX_set_default_verify_paths after registering the engine worked as desired. Also SSL_CTX_use_certificate_ASN1 with cbCertEncoded and pbCertEncoded from the CERT_CONTEXT seemed to work as well. Thanks for all your help. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, December 03, 2010 3:48 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Ok, I got it loading. Thanks. I'm still have an issue, which would stem from my lack of understanding of OpenSSL. This seems to succeed in giving me the private key. ENGINE_load_builtin_engines(); if( ENGINE *e = ENGINE_by_id(capi) ) { if( ENGINE_init(e) ) { ENGINE_register_complete(e); EVP_PKEY *privateKey = ENGINE_load_private_key(e, certificate.Subject().c_str(), 0, 0); SSL_CTX_use_PrivateKey(pContext, privateKey); ENGINE_finish(e); ENGINE_free(e); } } Now I need to make the equivalent call for SSL_CTX_use_certificate_file which I'm guessing is SSL_CTX_use_certificate and I get the cert from ENGINE_load_ssl_client_cert. I'm a little unclear on what to pass into ENGINE_load_ssl_client_cert. Also, will SSL_CTX_set_default_verify_paths use the CA certs from the Windows store or is there another engine call I have to make? Again, thanks. You have been so helpful. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, December 03, 2010 12:27 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Fri, Dec 03, 2010, Fili, Tom wrote: I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, November 30, 2010 11:49 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Tue, Nov 30, 2010, Fili, Tom wrote: Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); When you build OpenSSL it should produce a capi.dll file which needs to be installed in an appopriate place: where depends on how you've configured OpenSSL. Do you want to use the private key for client authentication? If so there is an automatic certificate selection process which may help. Otherwise you call ENGINE_load_privatekey(engine, id, NULL, NULL); then pass the EVP_PKEY structure to SSL_CTX_use_PrivateKey(). Where id is (by default) a string passed to CertFindCertificateInStore(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
_EVP_PKEY_free referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_assign referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_new referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _BN_bin2bn referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_set_ex_data referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_new_method referenced in function _ibm_4758_load_privkey out32dll.dbg\4758cca.dll : fatal error LNK1120: 43 unresolved externals NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 9.0\VC\BIN \link.EXE' : return code '0x460' Stop. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, December 03, 2010 12:01 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, November 30, 2010 11:49 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Tue, Nov 30, 2010, Fili, Tom wrote: Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); When you build OpenSSL it should produce a capi.dll file which needs to be installed in an appopriate place: where depends on how you've configured OpenSSL. Do you want to use the private key for client authentication? If so there is an automatic certificate selection process which may help. Otherwise you call ENGINE_load_privatekey(engine, id, NULL, NULL); then pass the EVP_PKEY structure to SSL_CTX_use_PrivateKey(). Where id is (by default) a string passed to CertFindCertificateInStore(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Private Key from Windows Cert Store
On Fri, Dec 03, 2010, Fili, Tom wrote: I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Private Key from Windows Cert Store
LNK2019: unresolved external symbol _DSO_load referenced in function _ibm_4758_cca_init e_4758cca.obj : error LNK2019: unresolved external symbol _BUF_strdup referenced in function _set_CCA4758_LIB_NAME e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_free referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_free referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_assign referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _EVP_PKEY_new referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _BN_bin2bn referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_set_ex_data referenced in function _ibm_4758_load_privkey e_4758cca.obj : error LNK2019: unresolved external symbol _RSA_new_method referenced in function _ibm_4758_load_privkey out32dll.dbg\4758cca.dll : fatal error LNK1120: 43 unresolved externals NMAKE : fatal error U1077: 'C:\Program Files\Microsoft Visual Studio 9.0\VC\BIN \link.EXE' : return code '0x460' Stop. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Fili, Tom Sent: Friday, December 03, 2010 12:01 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Tuesday, November 30, 2010 11:49 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Tue, Nov 30, 2010, Fili, Tom wrote: Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); When you build OpenSSL it should produce a capi.dll file which needs to be installed in an appopriate place: where depends on how you've configured OpenSSL. Do you want to use the private key for client authentication? If so there is an automatic certificate selection process which may help. Otherwise you call ENGINE_load_privatekey(engine, id, NULL, NULL); then pass the EVP_PKEY structure to SSL_CTX_use_PrivateKey(). Where id is (by default) a string passed to CertFindCertificateInStore(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
Ok, I got it loading. Thanks. I'm still have an issue, which would stem from my lack of understanding of OpenSSL. This seems to succeed in giving me the private key. ENGINE_load_builtin_engines(); if( ENGINE *e = ENGINE_by_id(capi) ) { if( ENGINE_init(e) ) { ENGINE_register_complete(e); EVP_PKEY *privateKey = ENGINE_load_private_key(e, certificate.Subject().c_str(), 0, 0); SSL_CTX_use_PrivateKey(pContext, privateKey); ENGINE_finish(e); ENGINE_free(e); } } Now I need to make the equivalent call for SSL_CTX_use_certificate_file which I'm guessing is SSL_CTX_use_certificate and I get the cert from ENGINE_load_ssl_client_cert. I'm a little unclear on what to pass into ENGINE_load_ssl_client_cert. Also, will SSL_CTX_set_default_verify_paths use the CA certs from the Windows store or is there another engine call I have to make? Again, thanks. You have been so helpful. -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, December 03, 2010 12:27 PM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store On Fri, Dec 03, 2010, Fili, Tom wrote: I rebuild OpenSSL and didn't get a capi.dll. I'm using 0.9.8k. Is there something I'm missing in the build process that I need to change to get the engines to compiled in. From what I've read it looks like it builds these engines into the openssl dlls. The following returns still NULL for me. ENGINE_load_builtin_engines(); ENGINE *e = ENGINE_by_id(capi); The CAPI ENGINE isn't compiled in by default in OpenSSL 0.9.8x, it needs the command line switch enable-capieng to Configure. Also the ENGINE dll build process isn't enabled in 0.9.8x so you'll get it built into libeay32.dll. The CAPI ENGINE is compiled by default in 1.0.0x and the dll ENGINE support enabled so you should get a capi.dll with that. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Stef Hoeben Sent: Sunday, November 28, 2010 12:58 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Hi Tom, here's the code of a little cmd line tool we use to test our CSPs. Cheers, Stef -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Fili, Tom Sent: zondag 28 november 2010 18:19 To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Is there a place that has some docs or examples of the capi API? I've looked around, but haven't found any good source for these. Tom Fili Software Engineer Analytical Graphics Inc. -Original Message- From: owner-openssl-us...@openssl.org on behalf of So Gerald Sent: Fri 11/26/2010 4:35 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY--- --. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc.
Re: Private Key from Windows Cert Store
Before you can use Engine_by_id, you need to call. ENGINE_load_builtin_engines(); I am also not able to use Private Key from Cert Store. Let me know incase you are able to do that. On Tue, Nov 30, 2010 at 9:16 AM, Fili, Tom tf...@agi.com wrote: Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); -Original Message- From: owner-openssl-us...@openssl.org [ mailto:owner-openssl-us...@openssl.org owner-openssl-us...@openssl.org] On Behalf Of Stef Hoeben Sent: Sunday, November 28, 2010 12:58 PM To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Hi Tom, here's the code of a little cmd line tool we use to test our CSPs. Cheers, Stef -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-owner-openssl- us...@openssl.org] On Behalf Of Fili, Tom Sent: zondag 28 november 2010 18:19 To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Is there a place that has some docs or examples of the capi API? I've looked around, but haven't found any good source for these. Tom Fili Software Engineer Analytical Graphics Inc. -Original Message- From: owner-openssl-us...@openssl.org on behalf of So Gerald Sent: Fri 11/26/2010 4:35 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY--- --. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc.
Re: Private Key from Windows Cert Store
On Tue, Nov 30, 2010, Fili, Tom wrote: Thanks, but I was more looking for docs on the interop of OpenSSL and the Crypto API. I got pretty most info from the capi that I needed except the private key, which from what I've read may not always be exportable anyway. I was looking for how to call the following functions with a location in the store, instead of a file. SSL_CTX_load_verify_locations SSL_CTX_use_PrivateKey_file SSL_CTX_use_certificate_chain_file or replacement functions that need to be called instead. Also, I'm having issues compiling with capi engine support. The engine doesn't appear to load as I get NULL from ENGINE_by_id(capi); When you build OpenSSL it should produce a capi.dll file which needs to be installed in an appopriate place: where depends on how you've configured OpenSSL. Do you want to use the private key for client authentication? If so there is an automatic certificate selection process which may help. Otherwise you call ENGINE_load_privatekey(engine, id, NULL, NULL); then pass the EVP_PKEY structure to SSL_CTX_use_PrivateKey(). Where id is (by default) a string passed to CertFindCertificateInStore(). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: Private Key from Windows Cert Store
Is there a place that has some docs or examples of the capi API? I've looked around, but haven't found any good source for these. Tom Fili Software Engineer Analytical Graphics Inc. -Original Message- From: owner-openssl-us...@openssl.org on behalf of So Gerald Sent: Fri 11/26/2010 4:35 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY-. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc. winmail.dat
RE: Private Key from Windows Cert Store
Hi Tom, here's the code of a little cmd line tool we use to test our CSPs. Cheers, Stef -Original Message- From: owner-openssl-us...@openssl.org [mailto:owner-openssl- us...@openssl.org] On Behalf Of Fili, Tom Sent: zondag 28 november 2010 18:19 To: openssl-users@openssl.org Subject: RE: Private Key from Windows Cert Store Is there a place that has some docs or examples of the capi API? I've looked around, but haven't found any good source for these. Tom Fili Software Engineer Analytical Graphics Inc. -Original Message- From: owner-openssl-us...@openssl.org on behalf of So Gerald Sent: Fri 11/26/2010 4:35 AM To: openssl-users@openssl.org Subject: Re: Private Key from Windows Cert Store I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY--- --. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc. testcapi.c Description: testcapi.c
Re: Private Key from Windows Cert Store
I think you may use the CAPI engine instead. 2010/11/24 Fili, Tom tf...@agi.com I'm trying to load a private key file of a personal cert from a key file and load it like so: SSL_CTX_use_PrivateKey_file(pSSLContext, privateKeyFile, SSL_FILETYPE_PEM) However the certificate is in the Windows Certificate Store. I'm trying to write it out to a PEM file, but I'm not quite sure how to get the data that goes in between BEGIN PRIVATE KEY and -END PRIVATE KEY-. For the certificate pem file I can just base64 encode pbCertEncoded from the CERT_CONTEXT, but not idea what to do for the private key. I've tried so many things but all are incorrect. I've exported the file from the MMC snap-in and used OpenSSL to convert it to a pem file and that works, but I have no idea how to get that info programmatically. Any help would be appreciated. Tom Fili Software Engineer Analytical Graphics Inc.