OpenSSL reasonable default for trusted CA certificates?

Question

Is there a way to set up an OpenSSL context (SSL_CTX) with a reasonable set of trusted CA certificates without distributing them myself? I don\'t want

Answer 1

Here's what I ended up doing:

On Windows: get the certificates from the Windows "ROOT" certificate store using CertOpenSystemStore, loop over them using CertEnumCertificatesInStore, grab the X509-encoded raw certificate from the pbCertEncoded field of the CERT_CONTEXT, create an OpenSSL X509 structure using d2i_X509, and add it to the OpenSSL certificate store using X509_STORE_add_cert. The Windows functions are all available from crypt32.dll.

On Mac OS X: get the certificates from the "/System/Library/Keychains/SystemRootCertificates.keychain" keychain using SecKeychainOpen, create an iterator for the certificates in the keychain using SecKeychainSearchCreateFromAttributes, iterate using SecKeychainSearchCopyNext, get the raw X509 certificate using SecItemExport, create an OpenSSL certificate using d2i_X509, and add it to the OpenSSL store using X509_STORE_add_cert. The Mac functions are available from /Systems/Library/Frameworks/Security.framework/Security.

A better approach might be to create an OpenSSL X509_STORE with a callback that uses OS functions to verify an individual root cert, rather than copying all of them over, but I haven't tried that.