Not verifying on Windows

[senpro-ingwersenk]

Hello there!

I am trying to use Narrowlink and it uses the native verifier to allow users to use custom CAs - which in my case, I have to, as our firewall uses that for TLS/SSL traffic inspection.

However, whenever I try to connect to a server, I get the UnknownIssuer message back, which to me sounds like it couldn't verify the certificate against what Windows had stored.

The firewall CA is valid untill 2037 and is self-signed - hence why it needed to be added. cURL and friends can easily use that certificate, but this library can not? I must be missing something.

Any ideas? I tried to look for some way to debug that but had no success...

Kind regards!

[senpro-ingwersenk]

After more digging, I found this: https://learn.microsoft.com/en-us/troubleshoot/windows-server/certificates-and-public-key-infrastructure-pki/valid-root-ca-certificates-untrusted

...and I followed some instructions I found for validating the certificate using certutil - which works, flawlessly so.

Since there are two stores (local user and system), which one does the verifier actually use?

[complexspaces]

Hi there, thanks for the issue report.

AFAIK the platform verifier uses the local user's store. We don't set any flags to configure it otherwise and CurrentUser seems to be the default based on the docs of CERT_CHAIN_ENGINE_CONFIG. Do you know which store your custom CA is currently installed in?

[senpro-ingwersenk]

It is installed in "This Maschine"; so I assume this is the system-wide store (think /etc/ssl/... but the Windows-thing). I will see if it works by purposely importing it into my local profile, if that is even possible with a root CA

[senpro-ingwersenk]

Not exactly my finest idea but I imported it into neigh every "category" in the "This user" selection to see if any of those worked. Unfortunately, it did not. Sadly, due to Windows being Windows, I don't really have any other idea where to put it.