D
David Beleznay
Guest
Hi there,
This is a complex problem so I might not be going about it the right way. If you have a better solution, let me know.
The problem:
We are using curl to talk to our server over https. We have a wildcard certificate issued by Go Daddy. We are populating curl's CURLOPT_SSL_CTX_DATA with the root certs from Windows Certificate Manager. ( opened with
HCERTSTORE hSystemStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM_A,
X509_ASN_ENCODING,
NULL,
CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG,
"Root");
)
On a brand new windows 10 machine, the Go Daddy Root cert is not in the Windows Certificate Manager. Clients who run our program without having gone to a Go Daddy signed website get a certificate error.
What I've done to try to solve it:
on my server, I've included the whole certificate chain for Go Daddy from Repository I've gotten the Microsoft to GoDaddy Cross Certificate, and the "GoDaddy Certificate Bundles - G2 With Cross to G1, includes Root". The problem is that the root cert "Go Daddy Class 2 Certification Authority" is Cross Signed by the "Microsoft Code Verification Root" certificate and THAT cert isn't in the Windows Certificate Manager either. see here: The Knowledge Obelisk: Microsoft's Code Verification Root Certificate - Where to find the crouching cross-signing, hidden certificate.
It looks like I might be able to somehow load that cert from kernel32.dll and I'm wondering how to do it. Or I'm wondering if I'm even approaching this the right way.
Observations:
I've noticed that as soon as you open the edge browser, and go to basically almost any website that the Go Daddy Cert ends up in your cert store, but somehow some of our customers don't do that ( They're from other countries. )
What I'm not doing:
I don't want to include a copy of the cert in my executable, because then if it's revoked or expires I need to release a new executable.
Continue reading...
This is a complex problem so I might not be going about it the right way. If you have a better solution, let me know.
The problem:
We are using curl to talk to our server over https. We have a wildcard certificate issued by Go Daddy. We are populating curl's CURLOPT_SSL_CTX_DATA with the root certs from Windows Certificate Manager. ( opened with
HCERTSTORE hSystemStore = CertOpenStore(
CERT_STORE_PROV_SYSTEM_A,
X509_ASN_ENCODING,
NULL,
CERT_SYSTEM_STORE_CURRENT_USER | CERT_STORE_READONLY_FLAG,
"Root");
)
On a brand new windows 10 machine, the Go Daddy Root cert is not in the Windows Certificate Manager. Clients who run our program without having gone to a Go Daddy signed website get a certificate error.
What I've done to try to solve it:
on my server, I've included the whole certificate chain for Go Daddy from Repository I've gotten the Microsoft to GoDaddy Cross Certificate, and the "GoDaddy Certificate Bundles - G2 With Cross to G1, includes Root". The problem is that the root cert "Go Daddy Class 2 Certification Authority" is Cross Signed by the "Microsoft Code Verification Root" certificate and THAT cert isn't in the Windows Certificate Manager either. see here: The Knowledge Obelisk: Microsoft's Code Verification Root Certificate - Where to find the crouching cross-signing, hidden certificate.
It looks like I might be able to somehow load that cert from kernel32.dll and I'm wondering how to do it. Or I'm wondering if I'm even approaching this the right way.
Observations:
I've noticed that as soon as you open the edge browser, and go to basically almost any website that the Go Daddy Cert ends up in your cert store, but somehow some of our customers don't do that ( They're from other countries. )
What I'm not doing:
I don't want to include a copy of the cert in my executable, because then if it's revoked or expires I need to release a new executable.
Continue reading...