The CNG engine is an OpenSSL engine designed to leverage the Windows Cryptography API: Next Generation (CNG) with OpenSSL-based applications.
Key Features
The CNG engine is intended to serve as a drop-in replacement for the legacy OpenSSL CAPI engine.
Compared to CAPI, the CNG engine offers the following additional features:
- Support for negotiating recent versions of TLS, including TLS 1.3.
- Support for OpenSSL 3.0's FIPS 140-2 mode of operation.
- Support for retrieving X509 OpenSSL objects from the engine.
Non-commercial Edition
A non-commercial edition is available for testing, personal, educational, or research purposes.
Please refer to the non-commercial license for detailed terms and conditions. For a commercial license, please contact us.
OpenSSL CAPI Engine and CNG Engine Compatibility Overview
New Engine Control Commands
LOAD_CERT_CTRL
: Get an X509 certificate from the store (requires ENGINE_init())
Supported CAPI Engine Control Commands
debug_level
: Debug level: 0=emerg, 1=alert, 2=crit, 3=err, 4=warning, 5=notice (default), 6=info, 7=debugdebug_file
: Debugging filenamestore_name
: Certificate store names: MY (default), Root, Trust, CA, UserDS (CERT_SYSTEM_STORE_CURRENT_USER only)store_flags
: Certificate store flags: 0=CERT_SYSTEM_STORE_CURRENT_USER (default), 1=CERT_SYSTEM_STORE_LOCAL_MACHINEkey_type
: Key type: 1=AT_KEYEXCHANGE (default), 2=AT_SIGNATURElist_options
: Set list options: 1=summary (default), 2=friendly name, 4=full printout, 8=PEM output, 16=XXX, 32=private key infolookup_method
: Set key lookup method: 1=substring (default), 2=friendlynamelist_csps
: List available CNG Key Storage Providerscsp_idx
: Set CNG Key Storage Provider by indexcsp_name
: Set CNG Key Storage Provider by name (default used if not specified)list_certs
: List all certificates in store (requires ENGINE_init())lookup_cert
: Lookup and output certificates (requires ENGINE_init())
Unsupported CAPI Engine Control Commands
csp_type
CSP type is zero if the key container is one of the CNG Key Storage Providers.list_containers
In CryptoAPI, the key container file is stored in a directory whose name is the textual equivalent of the user's SID. This is no longer the case in CNG, which removes the difficulty of moving users from one domain to another without losing all of their private keys.
Unsupported CAPI Engine Features
- DSA signatures and certificates