The certs are deployed via GPO & are located in the respective certificate stores (with the distinguished name, email & principal name from AD for user & computer name for computer as the Subject respectively) & OpenVPN 2.5.1 is deployed with both Interactive & Service modes enabled.
Here is our .ovpn file:
persist-tun
persist-key
data-ciphers AES-128-GCM
data-ciphers-fallback AES-128-GCM
auth SHA256
tls-client
client
resolv-retry infinite
remote server.name 443 tcp4
setenv opt block-outside-dns
verify-x509-name "server.name" name
remote-cert-tls server
compress
<ca>
-----BEGIN CERTIFICATE-----
x
-----END CERTIFICATE-----
</ca>
cryptoapicert "SUBJ:"
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
x
-----END OpenVPN Static key V1-----
</tls-auth>
If the following .ovpn file is placed in config-auto, it runs fine under the OpenVPNService Service, using the Computer certificate. The computer cert appears in PFSense's VPN Connection List & resources can be accessed fine.
If the same .ovpn is placed in the config folder (or the C:\Users\USERNAME\OpenVPN\config folder) & we attempt to make OpenVPN use the certificate under the Current User Personal Certificate store, it fails with the following error:
Code: Select all
2021-03-26 11:39:55 OpenSSL: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Cannot find the certificate and private key for decryption.
2021-03-26 11:39:55 Cannot load certificate "SUBJ:" from Microsoft Certificate Store