Support for the Certificate Trust Store on Windows


#1

From what I was told, Chef doesn't presently support trusting certificates from the Windows OS trust store. This makes it cumbersome to manage the certs outside of the OS just for Chef, especially when the cert is already trusted by the OS!

Is there an upcoming version of chef client where certs in the OS trust store will be supported natively?


#2

Your understanding is correct as of today -- The underlying Ruby and specifically OpenSSL does not load any certs from the Windows Certificate trust store natively. Chef itself does add certificates found in the c:\chef\trusted_certs folder for Chef operations (e.g. communicating with your Chef Server).

If you are able to elaborate more on your use case I would drop that as feedback to https://feedback.chef.io - thanks!


#3

Thanks for the response.

My use case is quite simple: I don't want to have to manage cert files on my nodes just for Chef. Rather, if the certificate is trusted on the host, Chef should trust it without any additional cert management activities required (e.g. placing and managing cert files in trusted_certs for every client).