[Mono-list] How to use cert-sync on Windows?

Alexander Köplinger alkpli at microsoft.com
Sat Apr 22 01:53:41 UTC 2017

The problem with mozroots in general is that it has a hardcoded URL to Mozilla's Mercurial source code repository embedded where it grabs the certificate list from.
This breaks when they change their repo and then mozroots is broken (which has happened in the past).
Another problem is that the connection over which this happens can't use SSL (because when you're using mozroots you typically won't yet have any trusted CAs) which is just bad.

Granted, this doesn't affect the use on Windows that much as you can just pass it the file but was a problem on the majority use case which is Linux where we used it during package installation.

cert-sync in turn supports importing from the Linux OpenSSL certificate locations and also imports into the Mono trust store that is used by the new BoringSSL TLS provider.
Thus it's easier to just standardize on one tool.

Hope this helps,

On 22.04.2017, at 00:24, Matt Johnson (AZURE) <matt.johnson at microsoft.com<mailto:matt.johnson at microsoft.com>> wrote:

Since that’s sourced from Mozilla anyway, how is this different than using the mozroots utility?


From: Alexander Köplinger
Sent: Friday, April 21, 2017 2:48 PM
To: Matt Johnson (AZURE) <matt.johnson at microsoft.com<mailto:matt.johnson at microsoft.com>>
Cc: mono-list at lists.dot.net<mailto:mono-list at lists.dot.net>
Subject: Re: [Mono-list] How to use cert-sync on Windows?

You can just download curl's list of certificates from https://curl.haxx.se/ca/cacert.pem and then import the list via "cert-sync --user cacert.pem".

As far as I'm aware we don't currently support reading the certificates from the Windows certificate store.

- Alex

On 21.04.2017, at 22:24, Matt Johnson (AZURE) via Mono-list <mono-list at lists.dot.net<mailto:mono-list at lists.dot.net>> wrote:

Reading the SSL/TLS FAQ here: http://www.mono-project.com/docs/faq/security/<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mono-project.com%2Fdocs%2Ffaq%2Fsecurity%2F&data=02%7C01%7Calkpli%40microsoft.com%7C4b57b0b174684614db6e08d488f46d99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284030781577238&sdata=mVjubGhaGJcAt%2FfS8HlEeG7owXrE0L43lYIFC3EpAok%3D&reserved=0>
And the details on how to use cert-sync here: http://www.mono-project.com/docs/about-mono/releases/3.12.0/#cert-sync<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.mono-project.com%2Fdocs%2Fabout-mono%2Freleases%2F3.12.0%2F%23cert-sync&data=02%7C01%7Calkpli%40microsoft.com%7C4b57b0b174684614db6e08d488f46d99%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636284030781577238&sdata=McGLyj0YpzNHYU1NG7CauPD2KHF%2BkgnC59n4x3oMEpc%3D&reserved=0>

I don’t see any details of how to get the ca-bundle.crt file on Windows.  The instructions only show  Linux and OSX.  One would assume it needs to be exported from the Windows certificate store?  How is that done?

I can use the mozroots utility for now, but it gives the deprecation warning so I’d like to use cert-sync instead.

Mono-list maillist  -  Mono-list at lists.dot.net<mailto:Mono-list at lists.dot.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.dot.net/pipermail/mono-list/attachments/20170422/924844af/attachment.html>

More information about the Mono-list mailing list