How to use cert-sync on Windows?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to use cert-sync on Windows?

Alexander Köplinger via Mono-list

Reading the SSL/TLS FAQ here: http://www.mono-project.com/docs/faq/security/

And the details on how to use cert-sync here: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync

 

I don’t see any details of how to get the ca-bundle.crt file on Windows.  The instructions only show  Linux and OSX.  One would assume it needs to be exported from the Windows certificate store?  How is that done?

 

I can use the mozroots utility for now, but it gives the deprecation warning so I’d like to use cert-sync instead.

 

Thanks,

Matt


_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.dot.net/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to use cert-sync on Windows?

Alexander Köplinger via Mono-list
You can just download curl's list of certificates from https://curl.haxx.se/ca/cacert.pem and then import the list via "cert-sync --user cacert.pem".

As far as I'm aware we don't currently support reading the certificates from the Windows certificate store.

- Alex


On 21.04.2017, at 22:24, Matt Johnson (AZURE) via Mono-list <[hidden email]> wrote:

Reading the SSL/TLS FAQ here: http://www.mono-project.com/docs/faq/security/
And the details on how to use cert-sync here: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync
 
I don’t see any details of how to get the ca-bundle.crt file on Windows.  The instructions only show  Linux and OSX.  One would assume it needs to be exported from the Windows certificate store?  How is that done?
 
I can use the mozroots utility for now, but it gives the deprecation warning so I’d like to use cert-sync instead.
 
Thanks,
Matt
_______________________________________________
Mono-list maillist  -  [hidden email]
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-list&data=02%7C01%7Calkpli%40microsoft.com%7C4b57b0b174684614db6e08d488f46d99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284030781577238&sdata=z9m3mhxD35RU8aLmU8fFIEL13givzRLLJ3xEMySShr4%3D&reserved=0


_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.dot.net/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to use cert-sync on Windows?

Alexander Köplinger via Mono-list

Since that’s sourced from Mozilla anyway, how is this different than using the mozroots utility?

 

Thanks,

Matt

 

From: Alexander Köplinger
Sent: Friday, April 21, 2017 2:48 PM
To: Matt Johnson (AZURE) <[hidden email]>
Cc: [hidden email]
Subject: Re: [Mono-list] How to use cert-sync on Windows?

 

You can just download curl's list of certificates from https://curl.haxx.se/ca/cacert.pem and then import the list via "cert-sync --user cacert.pem".

 

As far as I'm aware we don't currently support reading the certificates from the Windows certificate store.

 

- Alex

 

 

On 21.04.2017, at 22:24, Matt Johnson (AZURE) via Mono-list <[hidden email]> wrote:

 

Reading the SSL/TLS FAQ here: http://www.mono-project.com/docs/faq/security/

And the details on how to use cert-sync here: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync

 

I don’t see any details of how to get the ca-bundle.crt file on Windows.  The instructions only show  Linux and OSX.  One would assume it needs to be exported from the Windows certificate store?  How is that done?

 

I can use the mozroots utility for now, but it gives the deprecation warning so I’d like to use cert-sync instead.

 

Thanks,

Matt

_______________________________________________
Mono-list maillist  -  
[hidden email]
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flists.dot.net%2Fmailman%2Flistinfo%2Fmono-list&data=02%7C01%7Calkpli%40microsoft.com%7C4b57b0b174684614db6e08d488f46d99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284030781577238&sdata=z9m3mhxD35RU8aLmU8fFIEL13givzRLLJ3xEMySShr4%3D&reserved=0

 


_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.dot.net/mailman/listinfo/mono-list
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to use cert-sync on Windows?

Alexander Köplinger via Mono-list
The problem with mozroots in general is that it has a hardcoded URL to Mozilla's Mercurial source code repository embedded where it grabs the certificate list from.
This breaks when they change their repo and then mozroots is broken (which has happened in the past).
Another problem is that the connection over which this happens can't use SSL (because when you're using mozroots you typically won't yet have any trusted CAs) which is just bad.

Granted, this doesn't affect the use on Windows that much as you can just pass it the file but was a problem on the majority use case which is Linux where we used it during package installation.

cert-sync in turn supports importing from the Linux OpenSSL certificate locations and also imports into the Mono trust store that is used by the new BoringSSL TLS provider.
Thus it's easier to just standardize on one tool.

Hope this helps,
Alex


On 22.04.2017, at 00:24, Matt Johnson (AZURE) <[hidden email]> wrote:

Since that’s sourced from Mozilla anyway, how is this different than using the mozroots utility?
 
Thanks,
Matt
 
From: Alexander Köplinger 
Sent: Friday, April 21, 2017 2:48 PM
To: Matt Johnson (AZURE) <[hidden email]>
Cc: [hidden email]
Subject: Re: [Mono-list] How to use cert-sync on Windows?
 
You can just download curl's list of certificates from https://curl.haxx.se/ca/cacert.pem and then import the list via "cert-sync --user cacert.pem".
 
As far as I'm aware we don't currently support reading the certificates from the Windows certificate store.
 
- Alex
 
 
On 21.04.2017, at 22:24, Matt Johnson (AZURE) via Mono-list <[hidden email]> wrote:
 
Reading the SSL/TLS FAQ here: http://www.mono-project.com/docs/faq/security/
And the details on how to use cert-sync here: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync
 
I don’t see any details of how to get the ca-bundle.crt file on Windows.  The instructions only show  Linux and OSX.  One would assume it needs to be exported from the Windows certificate store?  How is that done?
 
I can use the mozroots utility for now, but it gives the deprecation warning so I’d like to use cert-sync instead.
 
Thanks,
Matt


_______________________________________________
Mono-list maillist  -  [hidden email]
http://lists.dot.net/mailman/listinfo/mono-list
Loading...