I create a connection SSL , using the OpenSSL API. As is known in SSL handshaking, a series of certificate authentication is performed for a server or client. Now, for client certificate authentication, the client certificate and associated private key are stored in the Windows Certificate Store .
This private key certificate is imported into the repository after merging them into pfx format, and then this pfx file pfx imported into the Windows Cert repository. Now, importing this pfx file using mmc snap-in, it asks if we want to make the private key exportable or not. OpenSSL is now included in the image to create an SSL connection.
To do this, we need to create an SSL_CTX object into which all properties related to the connection are loaded. Now, to load the private key from the Windows certificate store into the SSL_CTX object SSL_CTX I marked this exportable private key that I am exporting the key using the Crypto API . But I think that marking the private key exported does not make any sense, this is a security breach.
Since the private key will always be marked Non-Exportable , that means there is some method or API OpenSSL, etc. that can directly read and download the private key from the Windows certificate store to the SST_CTX object to create an SSL connection.
I know that there is definitely a way for this to work, but I am not getting it. I searched a lot for this, but did not get the required thing.
The generalized question . The certificate store contains many certificates and their associated private keys. How to access certificates and private keys when creating an SSL connection?
EDIT : I looked at the openssl API called
`EVP_PKEY *ENGINE_load_private_key(ENGINE *e, const char *key_id, UI_METHOD *ui_method, void *callback_data);`
Now, how can I get this key_id secret key, and also I think that this api is internally called the crypto api CryptExportKey , and this api fails if the private key is marked Non-Exportable .