Jump to content
Angus Robertson

ICS SSL/TLS Certificate CA Trusted Stores

Recommended Posts

ICS includes three CA CA Trusted Store, two as PEM bundle files, one in a source unit, and access to the Window Certificate Store directly:

1 - RootCaCertsBundle.pem is a large file that was originally created 15 years ago by exporting the Windows certificate store using the OverbyteIcsPemTool sample. But Windows 10 no longer has a complete local certificate store and instead downloads new certificates as needed by Windows browsers.  So with ICS V8.63, it is now the same as the new microsoft_windows.pem bundle mentioned above.  It currently contains 289 certificates and is 595  bytes in size and may be found in the Samples/Delphi/SslInternet/ directory.

2 - TrustedCABundle.pem is a smaller file, with certificate for major commercial issuers manually updated as newer sites are found to have missing root certificates.  But this file is more dynamic than RootCaCertsBundle.pem.  It currently contains 51 certificates and is 88 Kbytes in size and may be found in the Samples/Delphi/SslInternet/ directory.

3 - To avoid distributing bundle files and as a fail safe if a file can not be found, ICS includes 34 built-in hard coded certificates in OverbyteIcsSslX509Utils.pas which can be returned as a string by the function  sslRootCACertsBundle. Again this unit may be dynamic with new certificates added as needed.  Note only the TSslHttpRest, TIcsIpStrmLog, TIcsFtpMulti, TIcsHttpMulti and TIcsMailQueue components use the built-in bundle by default, other components need to add it manually to avoid the extra program code involved.

4 - ICS also includes a component TMsCertChainEngine in the unit OverbyteIcsMsSslUtils.pas which allows applications to avoid using bundle files and instead access the Windows Certificate Store directly to validate certificates.  There is a very slight overhead as the store is opened and Windows may need to download missing root certificates.  Only the TSslHttpRest, TIcsIpStrmLog, TIcsFtpMulti, TIcsHttpMulti and TIcsMailQueue components includes TMsCertChainEngine by default, with the CertVerMethod property selecting CertVerNone, CertVerBundle or CertVerWinStore. TMsCertChainEngine does include one extra optional feature to check if any certificates in the chain have been revoked by their issuer, perhaps for fraudulent use, beware revoke checks involve contacting each issuer and can slow down chain validation by a few seconds or even longer.

Either of the certificate bundle files may be loaded into an SslContext by using the SslCAFile property.  The built in bundle may be specified before the SslContext is initialised using SslCALines.Text property, or the LoadCAFromString method after initialisation.

If checking a certificate chain, OpenSL will issue the error message 'unable to get local issuer certificate' if a trusted certificate is not found in the store.

The contents the three certificates bundles are listed at http://wiki.overbyte.eu/wiki/index.php/FAQ_ICS_SSL/TLS_CA_Trusted_Store_Contents

 

Angus

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×