Certificates that the X509Store and X509Certificate2 consider valid can result in errors when loaded in OpenSSL

[danegsta]

Is there an existing issue for this?

• I have searched the existing issues

Describe the bug

We've seen a few cases where certificates that seem to be valid on Windows result in errors when included in the certificate trust set for OpenSSL. This is an issue when trying to copy certificates from Windows into a Linux container or provide them to Python, Node, or other languages that use OpenSSL based certificate processing.

DCP has the ability to validate certificates to ensure they're valid for OpenSSL, but we currently only make use of it for individual certificates copied to a container. We should extend this functionality to work with both containers and executables for both individual certificate files and bundles. That would allow us to ensure applications only receive valid certificates.

Expected Behavior

No response

Steps To Reproduce

No response

Exceptions (if any)

No response

.NET Version info

No response

Anything else?

No response

[danegsta]

This was effectively mitigated in 13.0 by additional certificate filtering and fully mitigated in main via an updated certificate API for executables in DCP.