问题
I am creating an SSL connection using OpenSSL API. As we know in a SSL handshake, series of Certificate Authentication occurs for Server or Client. Now for client certificate authentication, the client's certificate and associated private key are stored in Windows Certificate Store.
This certificate with private key is imported into the store after combining them into a pfx format and then that pfx file is imported to the windows Cert store. Now while importing this pfx file using mmc snap-in it asks whether we want to make the private key exportable or not. Now OpenSSL comes into picture for making SSL connection.
For that we have to create SSL_CTX object in which all the connection related properties are loaded. Now for loading private key from windows certificate store into SSL_CTX object, i have marked that private key exportable that i am exporting the key using Crypto API. But I think marking a private key exportable does not make any sense, it's a security breach.
Since private key will always be marked Non-Exportable so, is there any method or API of OpenSSL, etc that can directly read and load private key from windows cert store into SST_CTX object for making a SSL connection.
I know definitely there is some way for this to work but i am not getting it. I have searched a lot for this but not got the required thing.
Summarized Question: The Certificate Store holds many certificates and associated private keys. How are the certificates and private keys accessed when making an SSL connection ?
EDIT : I have gone through an openssl engine API called
`EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
UI_METHOD *ui_method, void *callback_data);`
Now how can i get this key_id of the private key and also i think this api internally called crypto api CryptExportKey and this api fails if private key is marked non-exportable.
来源:https://stackoverflow.com/questions/34549899/ssl-connection-windows-certificate-store-and-capi-engine