## Reference ca.crt from Windows Certificate Store

Scripts to manage certificates or generate config files
mosesmosheh
OpenVpn Newbie
Posts: 2
Joined: Thu Apr 23, 2020 12:59 pm

### Reference ca.crt from Windows Certificate Store

Hello

I have see that it is possible to use the cryptoapicert directive to replace the cert and key directives, where the thumbprint or subject of the certificate can be specified to bring in the cert. I.e.:

Code: Select all

--cryptoapicert "THUMB:f6 49 24 41 01 b4 ..." 
I wonder, is it possible to do something similar to specify the Certificate Authority crt?
E.g.

Code: Select all

--ca "THUMB:f2 44 15 62 11 c8 ..."

rather than

Code: Select all

--ca c:\path\to\ca.crt

Moses

TinCanTech
OpenVPN Protagonist
Posts: 8136
Joined: Fri Jun 03, 2016 1:17 pm

### Re: Reference ca.crt from Windows Certificate Store

mosesmosheh wrote:
Thu Apr 23, 2020 1:37 pm
is it possible to do something similar to specify the Certificate Authority crt?
E.g.

Code: Select all

--ca "THUMB:f2 44 15 62 11 c8 ..."
No.

The CA certificate is not a private key and so does not need to be protected.

mosesmosheh
OpenVpn Newbie
Posts: 2
Joined: Thu Apr 23, 2020 12:59 pm

### Re: Reference ca.crt from Windows Certificate Store

Thanks for the reply. I see what you're saying.

What I was trying to do is push our ca.crt out to our Windows Endpoints neatly from the domain controller. I wanted to add it as a trusted CA from the DC, but I don't know how I could call it from the config file on the client machines. Any ideas?