Title: Certificate added to Win Store not available
Type: behavior Stage: resolved
Components: SSL, Windows Versions: Python 3.7
Status: closed Resolution: duplicate
Dependencies: Superseder: ssl.enum_certificates() regression
View: 35941
Assigned To: christian.heimes Nosy List: christian-intra2net, christian.heimes, paul.moore, steve.dower, tim.golden, zach.ware
Priority: normal Keywords:

Created on 2019-03-18 11:40 by christian-intra2net, last changed 2019-03-21 16:27 by christian-intra2net. This issue is now closed.

File name Uploaded Description Edit christian-intra2net, 2019-03-19 08:53 Sample program listing certificates and trying to connect to socket christian-intra2net, 2019-03-19 08:58 Zip-Archive with certificates and screenshots
Messages (6)
msg338198 - (view) Author: Christian Herdtweck (christian-intra2net) Date: 2019-03-18 11:40
I have created a self-signed certificate as my fake CA, used it to sign the certificate of my test server. I added the fake CA to the client (Windows 7) certificate store (System settings > Internet Settings > Content > Certificates), imported it there first only to "trusted root certificate authorities (translating from German "Vertrauensw├╝rdige Stammzertifizierungsstellen" here), after failed tests to all tabs (including "own certificates", "intermediate certification authorities", but not the the "non-trusted issuers").

I can see my fake ca certificate in the lists in the windows settings, but querying the windows CA store through python (version 3.7), either through ssl.create_default_context().get_ca_certs() or ssl.enum_certificates(store) for store in ("CA", "ROOT", "MY") I only see some default builtin authorities (digicert, microsoft, comodo, verisign, etc).

This might be related to . The related PR is now closed but I do not see the commit in master/3.7/feature-version branch. Was it dismissed?

I am aware there are options to add certificate files to SSL_CERT_DIR, but it is my understanding that python now uses the windows certificate store and that is where in my case the certificate should go.
msg338200 - (view) Author: Christian Herdtweck (christian-intra2net) Date: 2019-03-18 11:42
I should have added the behavioral result:

(1) opening my server's web (https, port 443) page using IE works fine without certificate questions/errors
(2) creating a ssl-wrapped socket to the server on the same port (443) fails with a Certificat error
msg338330 - (view) Author: Christian Herdtweck (christian-intra2net) Date: 2019-03-19 08:53
A colleage motivated me to add some example data. Attached you will find a small sample program listing the certificates and trying to connect to my machine.

Output of the program:
Text "fake" nowhere to be found :-(

Traceback (most recent call last):
  File "", line 88, in <module>
  File "", line 83, in main
    ssl_sock.connect((MY_SERVER, 443))
  File "C:\Program Files (x86)\Python37-32\lib\", line 1150, in connect
    self._real_connect(addr, False)
  File "C:\Program Files (x86)\Python37-32\lib\", line 1141, in _real_connect
  File "C:\Program Files (x86)\Python37-32\lib\", line 1117, in do_handshake
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1056)
msg338332 - (view) Author: Christian Herdtweck (christian-intra2net) Date: 2019-03-19 08:58
Certificates (fake CA and the signed certificate) as well as 2 screenshots from the import process
msg338551 - (view) Author: Steve Dower (steve.dower) * (Python committer) Date: 2019-03-21 15:58
Yeah, this is a dup of issue35941. I'm not sure why the contributor withdrew their PR, but it seems that is what happened.
msg338556 - (view) Author: Christian Herdtweck (christian-intra2net) Date: 2019-03-21 16:27
Sorry, right, that is the issue I meant. Continuing there.
Date User Action Args
2019-03-21 16:27:48christian-intra2netsetmessages: + msg338556
2019-03-21 15:58:02steve.dowersetstatus: open -> closed

superseder: ssl.enum_certificates() regression
components: + Windows

nosy: + paul.moore, tim.golden, zach.ware
messages: + msg338551
resolution: duplicate
stage: resolved
2019-03-19 18:55:57brett.cannonsetnosy: + steve.dower
2019-03-19 08:58:44christian-intra2netsetfiles: +

messages: + msg338332
2019-03-19 08:53:13christian-intra2netsetfiles: +

messages: + msg338330
2019-03-18 11:42:24christian-intra2netsetmessages: + msg338200
2019-03-18 11:40:20christian-intra2netcreate