Can OpenSSL on Windows use the system certificate store?

Question

Some working C++ code that I\'m porting from Linux to Windows is failing on windows because SSL_get_verify_result() is returning X509_V_ERR_UNABLE_TO_GET_

Answer 1

Yes

It is possible to use OpenSSL for operation-as-usual, and use CryptoAPI only for the certificate verification process. I see several threads around here on this topic, and most are tiptoed around/through.

With CryptoAPI you have to:

• decode PEM to DER with CryptStringToBinary(),

• create a CERT_CONTEXT object with CertCreateCertificateContext()

• and verify the certificate in this form by well known/documented procedure. (For example here at ETutorials.)

  For last step to work, you also need to initialize HCERTSTORE for one of MY, ROOT, CA system stores, or iterate through them... depending on the behavior you want.