I am creating an SSL
connection using OpenSSL API. As we know in a SSL handshake, series of Certificate Authentication occurs for Server or Client. Now for client certificate authentication, the client's certificate and associated private key are stored in Windows Certificate Store
.
This certificate with private key
is imported into the store after combining them into a pfx
format and then that pfx
file is imported to the windows Cert store. Now while importing this pfx file using mmc
snap-in it asks whether we want to make the private key exportable
or not. Now OpenSSL comes into picture for making SSL connection.
For that we have to create SSL_CTX
object in which all the connection related properties are loaded. Now for loading private key from windows certificate store into SSL_CTX
object, i have marked that private key exportable
that i am exporting the key using Crypto API
. But I think marking a private key exportable does not make any sense, it's a security breach.
Since private key will always be marked Non-Exportable
so, is there any method or API of OpenSSL, etc that can directly read and load private key from windows cert store into SST_CTX object for making a SSL connection.
I know definitely there is some way for this to work but i am not getting it. I have searched a lot for this but not got the required thing.
Summarized Question: The Certificate Store holds many certificates and associated private keys. How are the certificates and private keys accessed when making an SSL connection ?
EDIT : I have gone through an openssl engine API called
`EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id,
UI_METHOD *ui_method, void *callback_data);`
Now how can i get this key_id
of the private key and also i think this api internally called crypto api CryptExportKey
and this api fails if private key is marked non-exportable
.
来源:https://stackoverflow.com/questions/34549899/ssl-connection-windows-certificate-store-and-capi-engine