Python module to extract CA and CRL certs from Windows' cert store

0.2.1 · deprecated · verified Wed Apr 15

wincertstore is a Python module designed to extract CA and CRL certificates from the Windows certificate store using ctypes and the Windows system cert store API through `crypt32.dll`. However, the package is officially deprecated. Since Python 2.7.9, the standard `ssl.create_default_context()` function automatically handles loading certificates from the Windows certificate store, making `wincertstore` largely redundant for modern Python applications.

Warnings

deprecated The `wincertstore` package is officially deprecated. Since Python 2.7.9, the standard library's `ssl.create_default_context()` function automatically loads certificates from the Windows certificate store, making this package largely redundant for modern Python versions.
Fix: For Python 2.7.9+ and Python 3.x, rely on `ssl.create_default_context()` for automatic Windows certificate store integration instead of `wincertstore`. If using `requests`, ensure you are on a compatible version or use `pip-system-certs` for older Python 3.x installations.
breaking This library has a very narrow and specific Python version compatibility. It requires Python `>=2.7`, but explicitly excludes Python `3.0.*` and `3.1.*`, and is only compatible with Python versions `<3.4.*`. This means it only supports Python 2.7.x and Python 3.2.x, 3.3.x.
Fix: Ensure your project's Python interpreter matches the compatible range (Python 2.7.x or 3.2.x-3.3.x). For newer Python versions (3.4+), `wincertstore` is not necessary as `ssl.create_default_context()` handles Windows cert stores natively. If you need this functionality on newer Python versions, you should use the built-in `ssl` module functions.
breaking In version 0.2, the default behavior of `CertSystemStore.itercerts()` changed. It now only returns certificates suitable for `SERVER_AUTH` (for validating TLS/SSL server certificates) by default, whereas version 0.1 returned all certificates.
Fix: If you need to iterate over all certificates regardless of usage, pass `usage=None` to `itercerts()`, e.g., `store.itercerts(usage=None)`. For specific usages like client authentication, use `usage=wincertstore.CLIENT_AUTH`.
gotcha The `wincertstore` library is designed exclusively for Microsoft Windows operating systems as it directly interfaces with the Windows Certificate Store API (`crypt32.dll`). It will not function on Linux, macOS, or other non-Windows platforms.
Fix: Ensure your application is running on a Windows environment if you intend to use `wincertstore`. For cross-platform certificate handling, consider using a different library or managing certificates through platform-specific mechanisms.

Install

pip install wincertstore Install latest version

Imports

wincertstore
```
import wincertstore
```
Primary module import for accessing certificate store functionalities.
CertSystemStore
```
from wincertstore import CertSystemStore
```
Used to open system certificate stores like 'CA' or 'ROOT'.
CertFile
```
from wincertstore import CertFile
```
Helper class to create a temporary file with selected certificates, useful for `ssl.wrap_socket`.

Quickstart

This quickstart demonstrates how to iterate through certificates in the Windows system stores ('CA', 'ROOT') using `CertSystemStore` and how to prepare a temporary CA bundle file using `CertFile` for use with Python's `ssl` module. The `CertSystemStore.itercerts()` method by default filters for `SERVER_AUTH` usage.

import wincertstore
import atexit
import ssl
import os

if os.name == 'nt':
    print("--- Listing SERVER_AUTH certificates from CA and ROOT stores ---")
    for storename in ("CA", "ROOT"):
        try:
            with wincertstore.CertSystemStore(storename) as store:
                print(f"Store: {storename}")
                for cert in store.itercerts(usage=wincertstore.SERVER_AUTH):
                    print(f"  Name: {cert.get_name()}")
                    # print(f"  Enhanced Key Usage: {cert.enhanced_keyusage_names()}")
                    # print(cert.get_pem().decode("ascii")) # Uncomment to see PEM content
        except Exception as e:
            print(f"  Could not open store {storename}: {e}")

    print("\n--- Example using CertFile for SSL context (requires a socket) ---")
    # This part requires an actual socket connection to be fully runnable.
    # For demonstration, we'll just show the setup.
    certfile = wincertstore.CertFile()
    certfile.addstore("CA")
    certfile.addstore("ROOT")
    atexit.register(certfile.close) # Ensure cleanup of temporary file

    # In a real application, you would pass certfile.name to ssl.wrap_socket
    # or a requests session for CA certificate verification.
    # Example (conceptual, requires 'sock' object):
    # sock = some_socket_connection()
    # ssl_sock = ssl.wrap_socket(sock, ca_certs=certfile.name, cert_reqs=ssl.CERT_REQUIRED)
    print(f"Temporary CA file created at: {certfile.name}")
    print("Remember to call certfile.close() or use atexit.register for cleanup.")
else:
    print("wincertstore is only applicable to Windows operating systems.")

view raw JSON →