I'm unsure if this would prevent the winstore module from being built in OpenSSL, but I did notice that node disables dynamic engines & the Windows CAPI in openssl.gypi to "avoid build errors on Win"

Removing those two defines from the build doesn't seem to break it for me, so there's a potential that they can be removed if required. Maybe there's a good reason why dynamic engines are disabled 🤷‍♂️

In light of the recent ESET issue outlined here https://forum.eset.com/topic/40702-eset-ssl-protection-produces-an-invalid-certificate-chain-for-nodejs-apps this deserves higher priority.

Not only for the fact that there was a problem with ESET (and potential scanners in the future) but for the fact that Node windows certificate issues have always been a pain in the ass / issue outside of that particular problem.

Windows certificate store has been around forever and is a core security feature of the OS. There is no excuse not to support it especially after OpenSSL officially supports it now.

There has been no activity on this feature request for 5 months. To help maintain relevant open issues, please add the never-stale Mark issue so that it is never considered stale label or close this issue if it should be closed. If not, the issue will be automatically closed 6 months after the last non-automated comment.
For more information on how the project manages feature requests, please consult the feature request management document.

Working on Windows with nodejs and custom certificates is a pain. Please implement this feature.

This is definitely an issue for us.

Setting NODE_TLS_REJECT_UNAUTHORIZED=0 to disable certificate validation completely works as a kludge to get local development up and running, but including it anywhere near a code base introduces the unnecessary risk of someone accidentally pushing the setting to a production environment.

How is this not fixed already?

This has been fixed by #56833 under --use-system-ca.