I extract root certificates using the CertEnumCertificatesInStore () function from the ROOT and CA repositories to create a list for OpenSSL from them. The problem is that for different users (using the AD domain) this list is different. Even on one computer. Those. under one user, OpenSSL may not establish a connection with the site, because its certificate does not pass validation, and under another it may. And accordingly, under the first one, fewer certificates are extracted, and under another, more. But if you start Internet Explorer under the first user, from that moment on, as many certificates are pulled out from the storehouses as for the second user and the ssl connection to the site is established.

Since I’m writing a service, I don’t like the idea of ​​pointing out something in the documentation, such as "you must log in periodically with this user and start Internet Explorer." How do I do the same thing myself, ask windows to update the list of root certificates for the current user? And preferably the correct way, and not some crutch, in the style of "well, you're there just run Internet Explorer from the service."

  • Is it known why ie pulls up new certificates? Where does he get them from? - Vladimir Martyanov
  • If I knew, I would not have asked this question. :) Just fought for a couple of days like a fish against ice, why the program works under my account, but not under the one created for use. In desperation, I entered under it and started Internet Explorer to check if the connection was blocked by some firewall. But everything worked. And then the program began to work. Then it was not checked by some other computers on the network. Logging in and launching Internet Explorer corrects the situation. - pda
  • Can Wireshark see what it does? - Vladimir Martyanov
  • You can see it, only it will give me nothing. I hope he uses some kind of documented api that does this work. Because downloading them manually is the same crutch that will work until ms replaces the servers. - pda

0