- Certificate selection string can now specify a partial
issuer name string as "--cryptoapicert ISSUER:<string>" where
<string> is matched as a substring of the issuer (CA) name in
the certificate.
Partial case-insensitive matching against the "issuer name" is
used. Here "issuer name" is a text representation of the RDN's
separated by commas.
E.g., "CA, Ontario, Toronto, Acme Inc., IT, Acme Root CA".
See MSDN docs on CertFindCertificateInStore() with CERT_FIND_ISSUER_STR
as "FindType" for more details.
As the order of RDN's is not well-defined[*] and type names like "OU"
or "CN" are not included, its best to match against a single attribute
like the CN of the issuer:
E.g., --cryptoapicert "ISSUER:Acme Root"
[*] Windows appears to order RDN's in the reverse order to which
its written in the certificate but do not rely on this.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
20230128223421.
2207802-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26092.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
cryptoapicert "SUBJ:Peter Runestig"
- To select a certificate, based on certificate's thumbprint:
+ To select a certificate, based on certificate's thumbprint (SHA1 hash):
::
cryptoapicert "THUMB:f6 49 24 41 01 b4 ..."
The thumbprint hex string can easily be copy-and-pasted from the Windows
- Certificate Store GUI.
+ Certificate Store GUI. The embedded spaces in the hex string are optional.
+
+ To select a certificate based on a substring in certificate's
+ issuer name:
+ ::
+
+ cryptoapicert "ISSUER:Sample CA"
+
+ The first non-expired certificate found in the user's store or the
+ machine store that matches the select-string is used.
--dhcp-release
Ask Windows to release the TAP adapter lease on shutdown. This option
find_param = wide_string(cert_prop + 5, &gc);
find_type = CERT_FIND_SUBJECT_STR_W;
}
+ else if (!strncmp(cert_prop, "ISSUER:", 7))
+ {
+ find_param = wide_string(cert_prop + 7, &gc);
+ find_type = CERT_FIND_ISSUER_STR_W;
+ }
else if (!strncmp(cert_prop, "THUMB:", 6))
{
find_type = CERT_FIND_HASH;