1

I need to do mutual SSL authentication from my client app (C++) using OpenSSL (via libcurl). I am reading certs from a smart card via MS Crypto API (CAPI) and ActivClient driver, and doing cert-chain validation with CAPI (this seemed to be easier validating the cert chain with OpenSSL since the cert chain is in the MS cert store). I can convert the client cert from CAPI to OpenSSL, but I'm having problems with the private key.

It seems that, for the server to validate my client's cert, I need to expose the client cert private key to OpenSSL. It's not quite clear how I should do that, or even if I can do that (it may depend on whether the key is marked as "exportable" in the cert). I can try following the suggestions in Converting private key in windows store to PEM (for OpenSSL), and hope the key is exportable, but I wonder whether I am even going down the correct path.

I've searched quite a bit on this topic, but haven't found any conclusive info.

Any advice and/or suggestions are appreciated!!

Community
  • 1
  • 1
cperras
  • 73
  • 5
  • "I can try following the suggestions in Converting private key in windows store to PEM (for OpenSSL)..." - (working from old memory here...) - I seem to recall you have to wrap the private key when exporting. To do so, use [CryptExportKey](http://msdn.microsoft.com/en-us/library/aa379931%28v=vs.85%29.aspx) and select `hExpKey` as an RSA key with an exponent of 1 or 0 (that was the trick). Once the target key is exported, then work on getting OpenSSL to consume it. – jww Jan 25 '14 at 00:49
  • This is similar to what you want to try and do: [How to export and import plain text session keys by using CryptoAPI](http://support.microsoft.com/kb/228786/en-us). – jww Jan 25 '14 at 00:53

0 Answers0