stunnel: CNG Engine

The CNG engine is an OpenSSL engine designed to leverage the Windows Cryptography API: Next Generation (CNG) with OpenSSL-based applications.

The CNG engine is intended to serve as a drop-in replacement for the legacy OpenSSL CAPI engine.

Compared to CAPI, the CNG engine offers the following additional features:

A non-commercial edition is available for testing, personal, educational, or research purposes.

Please refer to the non-commercial license for detailed terms and conditions. For a commercial license, please contact us.

LOAD_CERT_CTRL: Get an X509 certificate from the store (requires ENGINE_init())

debug_level: Debug level: 0=emerg, 1=alert, 2=crit, 3=err, 4=warning, 5=notice (default), 6=info, 7=debug
debug_file: Debugging filename
store_name: Certificate store names: MY (default), Root, Trust, CA, UserDS (CERT_SYSTEM_STORE_CURRENT_USER only)
store_flags: Certificate store flags: 0=CERT_SYSTEM_STORE_CURRENT_USER (default), 1=CERT_SYSTEM_STORE_LOCAL_MACHINE
key_type: Key type: 1=AT_KEYEXCHANGE (default), 2=AT_SIGNATURE
list_options: Set list options: 1=summary (default), 2=friendly name, 4=full printout, 8=PEM output, 16=XXX, 32=private key info
lookup_method: Set key lookup method: 1=substring (default), 2=friendlyname
list_csps: List available CNG Key Storage Providers
csp_idx: Set CNG Key Storage Provider by index
csp_name: Set CNG Key Storage Provider by name (default used if not specified)
list_certs: List all certificates in store (requires ENGINE_init())
lookup_cert: Lookup and output certificates (requires ENGINE_init())

csp_type
CSP type is zero if the key container is one of the CNG Key Storage Providers.
list_containers
In CryptoAPI, the key container file is stored in a directory whose name is the textual equivalent of the user's SID. This is no longer the case in CNG, which removes the difficulty of moving users from one domain to another without losing all of their private keys.