TLS with Client Authentication using private key from Windows store

Ferenc Gerlits fgerlits at
Mon Nov 23 12:03:55 UTC 2020


I am trying to use openssl to implement a client-side TLS connection with
Client Authentication on Windows, using a non-exportable private key stored
in the Windows Certificate Store.  Currently, our code can use a private
key stored in a local file, and if the key in the Windows store was
exportable, I could export it and use it in the existing code.  But the key
is non-exportable, which is a problem.

Does anyone know how to do this?

So far, I have found suggestions to use the CAPI engine (eg., but
no examples of how to do that, and also some tickets (eg. which say that the CAPI
engine does not work with TLS >= 1.2 on openssl 1.1.1, so that doesn't look
like a good solution.

Any help would be appreciated!

Thank you,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list