2

I am using the ssl module in python, specifically this:

SSLContext.load_cert_chain

Most examples of using this show using file paths as the first two parameters like this:

context.load_cert_chain("/path/to/cert.pem", "/path/to/key.pem", password=password)

What if these certificates are stored in the Windows certs store? (CA, Root, etc). Can I still retrieve and then use the file path to pass into the above method?

Improve this question

1 Answer 1

Reset to default
2

Short answer: It doesn't work easily.

The ssl module offers some access to the Windows certificate store via ssl.enum_certificates but that is pretty limited and does not offer access to the private key (which might even be marked as not-exportable).

The Windows certificate store is automatically used for client connections, to verify the servers certificate. But you cannot easily use it to create a server side context.

If you want to store keys and certificates in the Windows certificate store, you need to use the Windows SSPI (SChannel) APIs to implement the TLS layer. The python ssl module doesn't help in that case. The SSPI provides an API similar to the ssl.SSLObject which wraps the OpenSSL MemoryBIO protocol, so in theory one could implement a ssl.SSLObject on top of the Win32 APIs instead of the Openssl APIs.

https://learn.microsoft.com/en-us/windows/desktop/secauthn/creating-a-secure-connection-using-schannel

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.