How to enable using certs from the Windows Certificate Store?

[jnahmias]

Our webservers use TLS certificates that are signed using the Windows CA that is built into our Active Directory deployment, aka Active Directory Certificate Services [ADCS]. The root certificate for ADCS is installed in the Windows Certificate Store, so the TLS session is properly anchored and show correctly in MS Edge, Firefox, etc... However, when trying to use cURL for Windows, it reports that these certs are self-signed and refuses to trust them.

How do I get cURL to look/find the root for these certs in the windows trust root? I suspect that the answer has something to do with Schannel, but am lost beyond that...

Sample output:

C:\>curl -V
curl 8.0.1 (x86_64-w64-mingw32) libcurl/8.0.1 OpenSSL/3.1.0 (Schannel) zlib/1.2.13 brotli/1.0.9 zstd/1.5.5 WinIDN libssh2/1.10.0 nghttp2/1.52.0 ngtcp2/0.14.1 nghttp3/0.10.0 libgsasl/2.2.0
Release-Date: 2023-03-20
Protocols: dict file ftp ftps gopher gophers http https imap imaps ldap ldaps mqtt pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp ws wss
Features: alt-svc AsynchDNS brotli gsasl HSTS HTTP2 HTTP3 HTTPS-proxy IDN IPv6 Kerberos Largefile libz MultiSSL NTLM SPNEGO SSL SSPI threadsafe TLS-SRP UnixSockets zstd

C:\>curl https://test.example.org/
curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

[jnahmias]

curl PR#11409

[jnahmias]

Workaround is to use set CURL_SSL_BACKEND=Schannel