NCrypt STORE operations

The loadable library engine-ncrypt.dll is the component that exposes the Windows certificate store to applications via the OpenSSL STORE interface. Certificate Stores can contain different kinds of objects. The NCrypt STORE engine currently supports reading and using of public key certificates present in the store and, if available and allowed, their associated private keys. Listing the names of the objects in the store is possible as well. Creating or persisting new objects is not supported.

A good starting point for using this component is the OpenSSL man page for ossl_store. That page explains that objects are addressed through Uniform Resource Identifiers (URIs). Section Objects and URIs describes the URI schema for the NCrypt STORE engine.

The Windows certificate store is capable of building so-called certificate chains to verify whether a certificate is ultimately, indirectly, issued by an authority that is trusted by the operating system. This process of certificate verification can be leveraged through the NCrypt STORE as well, as explained in Certificate verification.

Some examples on how to use the NCrypt STORE engine with the openssl commands are given in the earlier section OpenSSL commands with the engine(s).