TLS with Client Authentication using private key from Windows store
Jan Just Keijser
janjust at nikhef.nl
Tue Nov 24 15:12:58 UTC 2020
Hi Ferenc,
On 23/11/20 13:03, Ferenc Gerlits via openssl-users wrote:
> Hi,
>
> I am trying to use openssl to implement a client-side TLS connection
> with Client Authentication on Windows, using a non-exportable private
> key stored in the Windows Certificate Store. Currently, our code can
> use a private key stored in a local file, and if the key in the
> Windows store was exportable, I could export it and use it in the
> existing code. But the key is non-exportable, which is a problem.
>
> Does anyone know how to do this?
>
> So far, I have found suggestions to use the CAPI engine (eg.
> https://groups.google.com/g/mailing.openssl.users/c/_rdJLc7emAY?pli=1),
> but no examples of how to do that, and also some tickets (eg.
> https://github.com/openssl/openssl/issues/12859) which say that the
> CAPI engine does not work with TLS >= 1.2 on openssl 1.1.1, so that
> doesn't look like a good solution.
>
>
OpenVPN 2.4+ can use the Windows Certificate Store to encrypt and sign
traffic using CNG (Crypto Next Gen, I believe). I'd suggest you download
the source code and examine the file cryptoapi.c for details.
HTH,
JJK
More information about the openssl-users
mailing list