Is it better pkcs12 certificate or separate files?

[Daimroc]

All the guides that I have readed use the crt and key files for authentication, but I know that OpenVPN allows the use of pkcs12 certificates that has the private and public key in thesame file. Which of the two options is better?

In Windows, I can install the certificates, so it is not neccesary to have the files in the config folder, so I think that is more secure this way. Also, if I am not wrong, if I install a pkcs12 certificate I can choose not allow to export the private key, so I think that it is a good option for security, but I am not if it is possible to use installed certificates in windows with OpenVPN.



Thanks.
Daimroc.

[maikcat]

you CAN use a certificate which is already imported into your windows OS

--cryptoapicert select-string
Load the certificate and private key from the Windows Certificate System Store
(Windows Only).

Use this option instead of --cert and --key.

This makes it possible to use any smart card, supported by Windows, but also any
kind of certificate, residing in the Cert Store, where you have access to the pri‐
vate key. This option has been tested with a couple of different smart cards
(GemSAFE, Cryptoflex, and Swedish Post Office eID) on the client side, and also an
imported PKCS12 software certificate on the server side.

To select a certificate, based on a substring search in the certificate's subject:

cryptoapicert "SUBJ:Peter Runestig"

To select a certificate, based on certificate's thumbprint:

cryptoapicert "THUMB:f6 49 24 41 01 b4 ..."

The thumbprint hex string can easily be copy-and-pasted from the Windows Certifi‐
cate Store GUI.

Michael.