The certs are deployed via GPO & are located in the respective certificate stores (with the distinguished name, email & principal name from AD for user & computer name for computer as the Subject respectively) & OpenVPN 2.5.1 is deployed with both Interactive & Service modes enabled.
Here is our .ovpn file:
remote server.name 443 tcp4
setenv opt block-outside-dns
verify-x509-name "server.name" name
# 2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
If the following .ovpn file is placed in config-auto, it runs fine under the OpenVPNService Service, using the Computer certificate. The computer cert appears in PFSense's VPN Connection List & resources can be accessed fine.
If the same .ovpn is placed in the config folder (or the C:\Users\USERNAME\OpenVPN\config folder) & we attempt to make OpenVPN use the certificate under the Current User Personal Certificate store, it fails with the following error:
Code: Select all
2021-03-26 11:39:55 OpenSSL: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Cannot find the certificate and private key for decryption. 2021-03-26 11:39:55 Cannot load certificate "SUBJ:" from Microsoft Certificate Store