openssl: Windows Special Setup

Writing this primarily for myself, so I don’t have to Google and go through all these mess again.

If you elect to use an up-to-date version of OpenSSL, you are likely encounter the famous developer company Shining Light Productions.
They are the “Go to” site for people using Windows OpenSSL and they did a pretty great job supporting the latest versions.

Nothing to blame, but if you use the ‘s_client’ and some other features, you would realize that the Windows version does not seem to have a default OpenSSL certificate store. It’s because they don’t.
The developer specifically told me that all they do is a default build, with no modifications added. So if you are like me that would want a list of certificate authorities file, try follow this!

It’s actually quite easy to do. Even though the OpenSSL build do not include a certificate store, you can still include one by checking your OpenSSL build variables. If you use openssl version -a, you’ll see that there’s some extra output, wiith one named OPENSSLDIR.
By default, 64 bit OpenSSL use C:\Program Files\Common Files\SSL, 32 bit use C:\Program Files (x86)\Common Files\SSL.

Open up that folder, and make sure you have admin access before you proceed.

Once you have that folder open, you can see there are a few files. ct_log_list.cnf, openssl.cnf, openssl-vms.cnf.
If you want to query Certificate Transparency, you should consider getting a list of trusted (in use) CT log so you won’t see something like “Invalid files”. You can get a copy of the ct_log_list.cnf file from here (scroll to the bottom).

Back to ca certs.

OpenSSL by default would look for a folder named certs under the previous OPENSSLDIR path. It would be easy to create one if we have permission to do, but the hard part is to fill it up with the certificates OpenSSL recognize. Because according to their MAN page, it require HASHED certs. You can read more on how to do that from StackExchange.

Now it’s simple. Get a Linux machine, go to /usr/lib/ssl/certs (might vary by OS, check your OS MAN). Copy all the certificates that’s not looking normal (aka, looks like a hash, followed by .0). For example, feffd413.0 is GlobalSign_Root_E46.pem. Move all the files to certs folder under OPENSSLDIR.

That’s it! (Yeah I know it’s long and basically trash if you don’t have a Linux machine)

The link below is a archive of CA Certificates extracted from my Ubuntu 22.04 LTS machine at 2022/06/09.
I do not assume any liability if the file is outdated, no longer available or caused any harm to you or anyone.

Scroll to Top