Cannot load certificate THUMB from Microsoft Certificate Store

OpenVPN tutorials ranging from configuration to hacks to compilation will be posted here.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
tripline
OpenVpn Newbie
Posts: 3
Joined: Fri Dec 29, 2017 4:22 pm

Cannot load certificate THUMB from Microsoft Certificate Store

Post by tripline » Fri Dec 29, 2017 4:51 pm

I could use some assistance. I am setting up a Synology NAS as the VPN server.
I stored the cert with the thumbprint under Computer Account > Personal > Certifactes
I am following the user pwatk directions for the setup https://forum.synology.com/enu/viewtopic.php?t=100066

The server log says
Fri Dec 29 10:40:45 2017 Warning: cryptapicert used, setting maximum TLS version to 1.1.
Fri Dec 29 10:40:45 2017 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Fri Dec 29 10:40:45 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Fri Dec 29 10:40:45 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Fri Dec 29 10:40:50 2017 OpenSSL: error:C5065064:microsoft cryptoapi:CertFindCertificateInStore:Cannot find object or property.
Fri Dec 29 10:40:50 2017 Cannot load certificate "THUMB:‎MY THUMB PRINT" from Microsoft Certificate Store
Fri Dec 29 10:40:50 2017 Exiting due to fatal error

client
dev tun
proto udp
remote $MyPublicIP 1194
resolv-retry infinite
nobind
persist-key
persist-tun

#ns-cert-type is DEPRECATED
#ns-cert-type server
remote-cert-tls server

comp-lzo

cipher AES-128-CBC
auth SHA256
auth-user-pass
key-direction 1

cryptoapicert "THUMB:‎MY THUMB"
<ca>
</ca>
<tls-auth>
<ca>
<ca>
-----BEGIN CERTIFICATE-----
$LONG CERT
-----END CERTIFICATE-----
</ca>
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
$LONG KEY
-----END OpenVPN Static key V1-----
</tls-auth>

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Post by TinCanTech » Fri Dec 29, 2017 5:10 pm

tripline wrote:
Fri Dec 29, 2017 4:51 pm
cryptoapicert "THUMB:‎MY THUMB"
See --cryptoapicert in The Manual v24x

tripline
OpenVpn Newbie
Posts: 3
Joined: Fri Dec 29, 2017 4:22 pm

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Post by tripline » Fri Dec 29, 2017 6:58 pm

TinCanTech wrote:
Fri Dec 29, 2017 5:10 pm
tripline wrote:
Fri Dec 29, 2017 4:51 pm
cryptoapicert "THUMB:‎MY THUMB"
See --cryptoapicert in The Manual v24x
My thumb is correct, just wasn't sure if it was safe to post.

jasong
OpenVpn Newbie
Posts: 2
Joined: Thu Jan 04, 2018 4:11 pm

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Post by jasong » Thu Jan 04, 2018 4:24 pm

I've had this problem when trying to copy thumbprint information to configure SSL on SQL clusters. It turns out that if you use the mmc snapin to obtain the thumbprint it inserts a hidden character.

https://support.microsoft.com/en-us/hel ... -has-extra

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: First time OpenVPN setup Cannot load certificate THUMB from Microsoft Certificate Store

Post by TinCanTech » Thu Jan 04, 2018 4:57 pm

@jasong .. Good find ! :mrgreen:

And just because I don't like Microsoft here it is in full:
Microsoft wrote:Certificate thumbprint displayed in MMC certificate snap-in has extra invisible unicode character

Symptoms

If you try and copy and paste thumbprint from this snap-in, an extra (invisible) unicode character is being copied also. This can lead to problems that are non-obvious. For example, copy and paste thumbprint into notepad. It appears that thumbprint is copied correctly, but if you try to save document, it reports that the document contains unicode characters.

If you try to copy paste this thumbprint into an application that asks for a certificate thumbprint, this can lead to errors where the invisible unicode character is unknowingly included. For example, there is a scenario in virtual machine manager that asks for a certificate thumbprint. Copy/pasting from this snap-in will lead to a non-obvious failure due to included unicode character.

One of the applications affected with this case is SQL Server when the certificate is needed for SSL Encrytopn of SSL connections. If simply copying the thumbpint from the certificate GUI and pasting it in with the invisible character, SQL Server fails to start.

Cause

This is caused by an issue in Richedit control which is used for the Certificate UI.

Resolution

The following workarounds can be used:

1. Instead of using certificates snap-in and certificate GUI, use certutil command line tool:
- "certutil -store -user my" for the user certificates or,
- "certutil -store my" for the machine certificates.

The thumbprint can be located in the line that starts with "Cert Hash(sha1)"

Cert Hash(sha1): e8 12 4b 42 c4 04 fd ca 8c ec 21 f1 91 76 5c b7 c3 ad 1d 55

2. When using certificates snap-in and certificate GUI, do NOT copy "extra space" that appears before the certificate thumbpint from the Richedit control.

Last Updated: Jan 8, 2017
@Tripline .. Does this help you ?

Post Reply