I need to get certificate and private key from windows store instead of the current two files. I have generated a PKCS12 using the two and have imported it into the windows store.
I am using schannel rs to find the relevant certificate and:
- get the certificate context (which can be transformed to PEM or DER format and also parsed to X509 using x509 parser)
- its relevant
NcryptKey.
The program is already using rust openssl's SslAcceptorBuilder to load from the certificate file and to use the PKey<Private> which also loads the private key from file.
Question: How can the CertContext context be loaded into the SslAcceptorBuilder as certificate and how can I use the NcryptKey as PKey<Private>? (or also load it into the SslAcceptorBuilder which is the required anyway).
As the SslAcceptor can indeed load an X509, I have searched the Rust openssl documentation for means of creating one X509Ref using the X509Builder but none of them uses bytes of a certificate already in memory. Or at least I haven't yet found a method. Same stands for the PKey.
At the moment I am dumping the certificate as PEM in a file and load the file and delete the file. It is a level higher than having the file already there, but still. Moreover the private key file is still there. So, no security whatsoever.
Any ideas? Did I miss something? Maybe I cannot avoid using yet another package like rustls or rustls-native-certs?
UPDATE
After switching from rust openssl to rustls, I am able to use the certificate context as DER format for the ServerConfig builder. But I am still missing the part of the Ncrypt key to either PrivateKeyDer or something other usable. Going over schannel-rs repository now, to see if I find some answers there.
Solved everything using the rustls-cng in combination with rustls.
The server example provides enough to use a certificate from the windows store and its password to pass on to the
HttpServerofActix-webusing.bind_rustls_0_22(). For some reason, you do not even have to have administrative rights forLocal Machinestored certificates. It also provides the possibility importing one from apfx/p12file which stores together the certificate and private key. It worked like a charm.