TLS with Client Authentication using private key from Windows store

Jan Just Keijser janjust at
Tue Nov 24 15:12:58 UTC 2020

Hi Ferenc,

On 23/11/20 13:03, Ferenc Gerlits via openssl-users wrote:
> Hi,
> I am trying to use openssl to implement a client-side TLS connection 
> with Client Authentication on Windows, using a non-exportable private 
> key stored in the Windows Certificate Store.  Currently, our code can 
> use a private key stored in a local file, and if the key in the 
> Windows store was exportable, I could export it and use it in the 
> existing code.  But the key is non-exportable, which is a problem.
> Does anyone know how to do this?
> So far, I have found suggestions to use the CAPI engine (eg. 
> but no examples of how to do that, and also some tickets (eg. 
> which say that the 
> CAPI engine does not work with TLS >= 1.2 on openssl 1.1.1, so that 
> doesn't look like a good solution.
OpenVPN 2.4+  can use the Windows Certificate Store to encrypt and sign 
traffic using CNG (Crypto Next Gen, I believe). I'd suggest you download 
the source code and examine the file  cryptoapi.c for details.



More information about the openssl-users mailing list