OpenSSL Providers

OpenSSL 3.0 introduced the provider concept as a flexible way to supply cryptographic algorithms and related functionality. A provider can implement a wide range of features, including encryption, key management, and certificate handling. This modular design makes it easier to extend OpenSSL with new algorithms or integrate it with external cryptographic frameworks.

CNG Provider

The CNG provider is a native OpenSSL 3.x provider that bridges Microsoft Cryptography API: Next Generation (CNG) with OpenSSL’s provider-based architecture. It enables OpenSSL applications to access keys, certificates, and algorithms through Windows CNG while remaining compatible with existing OpenSSL-based applications.

Key Features

• Seamless integration with Windows CNG for cryptographic operations such as signing and verification.
• Support for OpenSSL 3.x property queries (for example: provider=cngprov, fips=yes).
• Can coexist with other providers, including the OpenSSL default and FIPS providers.
• Access to private keys stored in Windows key stores or backed by smart cards or TPMs via CNG.
• Improved performance and stability over the engine-based approach.

Extended URI Format

The general format for accessing objects with a specified lookup method is:

cng:store_name=<StoreName>;store_location=<StoreLocation>;lookup_method=<Method>;object=<ObjectName>;csp_name=<CSPName>;pin=<PIN>;debug_level<DebugLevel>;debu
g_file<FilePath>

Parameters:

• store_name: Name of the certificate store (search all if not specified): MY, Root, Trust, CA, UserDS (CERT_SYSTEM_STORE_CURRENT_USER only).
• store_location: Location of the certificate store. Possible values:
  • CurrentUser: Store for the current user (default).
  • LocalMachine: Store for the local computer.
• lookup_method: Method used to locate the certificate. Supported values:
  • substring: Search by a substring of the Subject Distinguished Name (default).
  • friendlyname: Search by the certificate's friendly name.
  • thumbprint: Search by the SHA-1 thumbprint.
  • issuer: Search by a substring of the Issuer Distinguished Name.
• object: Identifier of the certificate or key object to retrieve.
• csp_name: Name of the Cryptographic Service Provider (e.g., Microsoft Software Key Storage Provider).
• pin: Optional PIN or password if the key is protected.
• debug_level: Verbosity of debug output.
• debug_file: Path to the debug log file.