How to specifiy -CAPath using OpenSSL in windows to perform TLS handshake
#Use someone else's PEM bundle.
You can not use the Windows certificate store directly with OpenSSL. Instead OpenSSL expects its CAs in one of two ways:
- Many files: In a special folder structure. One file per certificate with regular names like
Verisign-CA.pem
. (This is so that humans can understand the cert store.) And then a symlink to each such file. And the symlinks have weird names like01c34cfa
... and so on. They are named for a hash value of the certificate file. (This is so that OpenSSL can understand the cert store. More info: man page foropenssl verify
.) If you want to add a cert, you just drop the file in the directory and run a script that creates the symlink for you.
You can specify the path to that folder with the CApath
command line argument (Case sensitive: Large CA
, small path
.):
-CApath arg - PEM format directory of CA's
- Single file: All CA certificates lumped together in a PEM bundle.
You can specify the path to that file with the CAfile
command line argument (Case sensitive: Large CA
, small file
.):
-CAfile arg - PEM format file of CA's
And one easy way to get such a PEM bundle is to download it from the testssl.sh site: https://github.com/drwetter/testssl.sh/blob/3.1dev/etc/Microsoft.pem
And this will then work with a Windows installation of OpenSSL:
c:\> openssl s_client -connect google.com:443 -CAfile "c:\Microsoft.pem"
...
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
This site has a list of various sites that provide PEM bundles, and refers to this git hub project, which provides copies of all the main OS PEM bundles in single file format which can be used by OpenSSL on windows.
One can extract the microsoft_windows.pem from provided tar file and use it like so
echo | openssl.exe s_client -CAfile microsoft_windows.pem -servername URL -connect HOST:PORT 2>nul