Error: ExternalKeyAgent: no cert/key pairs found in 'user' store were issued by OpenVPN CA

[CM1975a]

Hello, I have a tricky question about an issue that has started about two months ago, regarding our installed OpenVPN certificates stopping working. We are currently using an access server running OpenVPN Access Server version 2.8.8 in a hybrid environment. We have about 60 clients who connect periodically throughout the day using client software version 2.7.1.111. The issue, specifically, is that users will get the error "azvpn.companyname.com disconnected. ExternalKeyAgent: no cert/key pairs found in 'user' store were issued by OpenVPN CA." At this point they are unable to connect to the VPN.

I've found a work-around for the issue that involves establishing a remote support session to the affected PC, installing my own OpenVPN cert in certmgr.msc, which allows the PC to connect to the VPN, and from there I have the user log into one of our Azure servers to download a new OpenVPN cert for themselves. We install that cert on their machine and remove my own. At which point they are able to resume normal connectivity.

I have not been able to determine a pattern to this issue. It seems to affect about 2-3 people a week for the past couple months, at random. I'm not sure if it's related to their Windows password being changed, some kind of TPM issue, the ongoing Windows 11 upgrades, or something else. It's almost as if their existing cert has just "stopped working" (they're not expired, I checked that).

Wanted to know if anyone has seen this before? Any suggestions? It's not a major issue, since I can fix it in 10-15 minutes through a remote support session, but obv. would like to prevent it from continuing to happen in the future, if possible. Thoughts?