Is there a way to create a profile that will use the Windows certificate store?

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
bp81
OpenVpn Newbie
Posts: 4
Joined: Tue Aug 10, 2021 3:14 pm

Is there a way to create a profile that will use the Windows certificate store?

Post by bp81 » Tue Aug 10, 2021 3:19 pm

As the title asks.

I am setting up a VPN remote access server using OpenVPN and am using client certificate + username and password authentication.

I am doing this with a pfSense router/firewall. It has a utility to export an 'Inline Configuration' which will import to an OpenVPN client and work perfectly fine. The 'inline' configuration file includes the necessary certificates, including the client certificate. It is also includes the private key of the client certificate in plain text.

I don't think I have to explain here how serious of a security problem that is.

Is there a way to set an openvpn configuration profile to use a Windows 10 machine's certificate store instead of having the certificates embedded in the profile? This would need to work for both client certificates and server certificates. I have other infrastructure on hand I can use to securely deploy the client certificates as pfx/p12 files.

becm
OpenVPN User
Posts: 38
Joined: Tue Sep 01, 2020 1:27 pm

Re: Is there a way to create a profile that will use the Windows certificate store?

Post by becm » Fri Aug 20, 2021 10:49 am

The cryptoapicert option can be used to refer to cert/key material in Windows Certificate store.
See OpenVPN manual.

In the server context there might be issues regarding cert/process ownership.
The client setup in most cases (user certificates) is straightforward.

Post Reply