TLS with Client Authentication using private key from Windows store

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

TLS with Client Authentication using private key from Windows store

OpenSSL - User mailing list
Hi,

I am trying to use openssl to implement a client-side TLS connection with Client Authentication on Windows, using a non-exportable private key stored in the Windows Certificate Store.  Currently, our code can use a private key stored in a local file, and if the key in the Windows store was exportable, I could export it and use it in the existing code.  But the key is non-exportable, which is a problem.

Does anyone know how to do this?

So far, I have found suggestions to use the CAPI engine (eg. https://groups.google.com/g/mailing.openssl.users/c/_rdJLc7emAY?pli=1), but no examples of how to do that, and also some tickets (eg. https://github.com/openssl/openssl/issues/12859) which say that the CAPI engine does not work with TLS >= 1.2 on openssl 1.1.1, so that doesn't look like a good solution.

Any help would be appreciated!

Thank you,
Ferenc
Reply | Threaded
Open this post in threaded view
|

Re: TLS with Client Authentication using private key from Windows store

Jan Just Keijser-2
Hi Ferenc,

On 23/11/20 13:03, Ferenc Gerlits via openssl-users wrote:

> Hi,
>
> I am trying to use openssl to implement a client-side TLS connection
> with Client Authentication on Windows, using a non-exportable private
> key stored in the Windows Certificate Store.  Currently, our code can
> use a private key stored in a local file, and if the key in the
> Windows store was exportable, I could export it and use it in the
> existing code.  But the key is non-exportable, which is a problem.
>
> Does anyone know how to do this?
>
> So far, I have found suggestions to use the CAPI engine (eg.
> https://groups.google.com/g/mailing.openssl.users/c/_rdJLc7emAY?pli=1),
> but no examples of how to do that, and also some tickets (eg.
> https://github.com/openssl/openssl/issues/12859) which say that the
> CAPI engine does not work with TLS >= 1.2 on openssl 1.1.1, so that
> doesn't look like a good solution.
>
>
OpenVPN 2.4+  can use the Windows Certificate Store to encrypt and sign
traffic using CNG (Crypto Next Gen, I believe). I'd suggest you download
the source code and examine the file  cryptoapi.c for details.

HTH,

JJK