OpenSSL reasonable default for trusted CA certificates?

Question

Is there a way to set up an OpenSSL context (SSL_CTX) with a reasonable set of trusted CA certificates without distributing them myself? I don\'t want

Answer 1

Here's what I ended up doing:

On Windows: get the certificates from the Windows "ROOT" certificate store using CertOpenSystemStore, loop over them using CertEnumCertificatesInStore, grab the X509-encoded raw certificate from the pbCertEncoded field of the CERT_CONTEXT, create an OpenSSL X509 structure using d2i_X509, and add it to the OpenSSL certificate store using X509_STORE_add_cert. The Windows functions are all available from crypt32.dll.

On Mac OS X: get the certificates from the "/System/Library/Keychains/SystemRootCertificates.keychain" keychain using SecKeychainOpen, create an iterator for the certificates in the keychain using SecKeychainSearchCreateFromAttributes, iterate using SecKeychainSearchCopyNext, get the raw X509 certificate using SecItemExport, create an OpenSSL certificate using d2i_X509, and add it to the OpenSSL store using X509_STORE_add_cert. The Mac functions are available from /Systems/Library/Frameworks/Security.framework/Security.

A better approach might be to create an OpenSSL X509_STORE with a callback that uses OS functions to verify an individual root cert, rather than copying all of them over, but I haven't tried that.

Answer 2

On OS X, you can get information on the certificates trusted by the user from the user's Keychain. Here is a link containing some very good information on collecting that info using Cocoa:

Get Certificates in Keychain

If Cocoa is not an ok dependency for your needs, and you want to do everything straight from the command line, you could use the certtool utility- see man certtool and other online documentation to learn about it. To list all certificates in the user's login keychain, you might do:

certtool y k=login.keychain

Or to get a list of the built-in trusted system roots:

certtool y k=/System/Library/Keychains/SystemRootCertificates.keychain

and maybe

certtool y k=/System/Library/Keychains/SystemCACertificates.keychain

I'm sure there are other ways to get at that information using system interfaces as well.

On the Linux side, yes, /etc/ssl/certs/ca-certificates.crt is the right way to go. That file will exist on Debian derivatives (inc. Ubuntu variants) when the ca-certificates package is installed, and I'm not sure how to get it there properly on redhat-based systems.

Answer 3

You could use curl's script that converts the list from Mozilla (from Curl's maintainer's answer). According to its code, it seems to check whether the certificate is trusted or not before including it.