{"id":6947,"library":"wincertstore","title":"Python module to extract CA and CRL certs from Windows' cert store","description":"wincertstore is a Python module designed to extract CA and CRL certificates from the Windows certificate store using ctypes and the Windows system cert store API through `crypt32.dll`. However, the package is officially deprecated. Since Python 2.7.9, the standard `ssl.create_default_context()` function automatically handles loading certificates from the Windows certificate store, making `wincertstore` largely redundant for modern Python applications.","status":"deprecated","version":"0.2.1","language":"en","source_language":"en","source_url":"https://github.com/tiran/wincertstore","tags":["windows","certificates","security","ssl","ca","crl"],"install":[{"cmd":"pip install wincertstore","lang":"bash","label":"Install latest version"}],"dependencies":[],"imports":[{"note":"Primary module import for accessing certificate store functionalities.","symbol":"wincertstore","correct":"import wincertstore"},{"note":"Used to open system certificate stores like 'CA' or 'ROOT'.","symbol":"CertSystemStore","correct":"from wincertstore import CertSystemStore"},{"note":"Helper class to create a temporary file with selected certificates, useful for `ssl.wrap_socket`.","symbol":"CertFile","correct":"from wincertstore import CertFile"}],"quickstart":{"code":"import wincertstore\nimport atexit\nimport ssl\nimport os\n\nif os.name == 'nt':\n    print(\"--- Listing SERVER_AUTH certificates from CA and ROOT stores ---\")\n    for storename in (\"CA\", \"ROOT\"):\n        try:\n            with wincertstore.CertSystemStore(storename) as store:\n                print(f\"Store: {storename}\")\n                for cert in store.itercerts(usage=wincertstore.SERVER_AUTH):\n                    print(f\"  Name: {cert.get_name()}\")\n                    # print(f\"  Enhanced Key Usage: {cert.enhanced_keyusage_names()}\")\n                    # print(cert.get_pem().decode(\"ascii\")) # Uncomment to see PEM content\n        except Exception as e:\n            print(f\"  Could not open store {storename}: {e}\")\n\n    print(\"\\n--- Example using CertFile for SSL context (requires a socket) ---\")\n    # This part requires an actual socket connection to be fully runnable.\n    # For demonstration, we'll just show the setup.\n    certfile = wincertstore.CertFile()\n    certfile.addstore(\"CA\")\n    certfile.addstore(\"ROOT\")\n    atexit.register(certfile.close) # Ensure cleanup of temporary file\n\n    # In a real application, you would pass certfile.name to ssl.wrap_socket\n    # or a requests session for CA certificate verification.\n    # Example (conceptual, requires 'sock' object):\n    # sock = some_socket_connection()\n    # ssl_sock = ssl.wrap_socket(sock, ca_certs=certfile.name, cert_reqs=ssl.CERT_REQUIRED)\n    print(f\"Temporary CA file created at: {certfile.name}\")\n    print(\"Remember to call certfile.close() or use atexit.register for cleanup.\")\nelse:\n    print(\"wincertstore is only applicable to Windows operating systems.\")","lang":"python","description":"This quickstart demonstrates how to iterate through certificates in the Windows system stores ('CA', 'ROOT') using `CertSystemStore` and how to prepare a temporary CA bundle file using `CertFile` for use with Python's `ssl` module. The `CertSystemStore.itercerts()` method by default filters for `SERVER_AUTH` usage."},"warnings":[{"fix":"For Python 2.7.9+ and Python 3.x, rely on `ssl.create_default_context()` for automatic Windows certificate store integration instead of `wincertstore`. If using `requests`, ensure you are on a compatible version or use `pip-system-certs` for older Python 3.x installations.","message":"The `wincertstore` package is officially deprecated. Since Python 2.7.9, the standard library's `ssl.create_default_context()` function automatically loads certificates from the Windows certificate store, making this package largely redundant for modern Python versions.","severity":"deprecated","affected_versions":"All versions"},{"fix":"Ensure your project's Python interpreter matches the compatible range (Python 2.7.x or 3.2.x-3.3.x). For newer Python versions (3.4+), `wincertstore` is not necessary as `ssl.create_default_context()` handles Windows cert stores natively. If you need this functionality on newer Python versions, you should use the built-in `ssl` module functions.","message":"This library has a very narrow and specific Python version compatibility. It requires Python `>=2.7`, but explicitly excludes Python `3.0.*` and `3.1.*`, and is only compatible with Python versions `<3.4.*`. This means it only supports Python 2.7.x and Python 3.2.x, 3.3.x.","severity":"breaking","affected_versions":"All versions of wincertstore 0.2.1"},{"fix":"If you need to iterate over all certificates regardless of usage, pass `usage=None` to `itercerts()`, e.g., `store.itercerts(usage=None)`. For specific usages like client authentication, use `usage=wincertstore.CLIENT_AUTH`.","message":"In version 0.2, the default behavior of `CertSystemStore.itercerts()` changed. It now only returns certificates suitable for `SERVER_AUTH` (for validating TLS/SSL server certificates) by default, whereas version 0.1 returned all certificates.","severity":"breaking","affected_versions":"0.2.x and later (compared to 0.1.x)"},{"fix":"Ensure your application is running on a Windows environment if you intend to use `wincertstore`. For cross-platform certificate handling, consider using a different library or managing certificates through platform-specific mechanisms.","message":"The `wincertstore` library is designed exclusively for Microsoft Windows operating systems as it directly interfaces with the Windows Certificate Store API (`crypt32.dll`). It will not function on Linux, macOS, or other non-Windows platforms.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-15T00:00:00.000Z","next_check":"2026-07-14T00:00:00.000Z","problems":[]}