On Windows and Mac OS, the server's TLS subsytem supports an option named net.tls.certificateSelector. This option is an alternative to net.tls.certificateKeyFile, and allows an administrator to specify an identifier for a X.509 certificate and private key contained in the system trust store which the server will attempt to use. The administrator doesn't need to provision a PEM file containing these artefacts. This is convenient if the system is centrally managed, and has relevant CAs and identities pre-provisioned in the system trust store.

To maintain platform equivalence, we should introduce support for the following options to the OpenSSL implementation of the server's TLS stack:

• net.tls.certificateSelector
• net.tls.clusterCertificateSelector