OpenVPN Support Forum

We're attempting to create a new VPN instance on PFSense using user & computer certificates issued by our ADCA.

The certs are deployed via GPO & are located in the respective certificate stores (with the distinguished name, email & principal name from AD for user & computer name for computer as the Subject respectively) & OpenVPN 2.5.1 is deployed with both Interactive & Service modes enabled.

Here is our .ovpn file:



If the following .ovpn file is placed in config-auto, it runs fine under the OpenVPNService Service, using the Computer certificate. The computer cert appears in PFSense's VPN Connection List & resources can be accessed fine.

If the same .ovpn is placed in the config folder (or the C:\Users\USERNAME\OpenVPN\config folder) & we attempt to make OpenVPN use the certificate under the Current User Personal Certificate store, it fails with the following error:
Event Viewer not showing anything when the connection fails.

FootShopAB wrote: ↑

Fri Mar 26, 2021 2:23 pm

OpenSSL: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Cannot find the certificate and private key for decryption.

looks like the key is missing..

Our ADCA, which generates the certificates, is providing the certificate verification. There is no key in the .ovpn or in a separate file.

The Machine cert behaves as expected, but the User cert doesn't.

FootShopAB wrote: ↑

Fri Mar 26, 2021 2:23 pm

2021-03-26 11:39:55 OpenSSL: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Cannot find the certificate and private key for decryption.
2021-03-26 11:39:55 Cannot load certificate "SUBJ:" from Microsoft Certificate Store

FootShopAB wrote: ↑

Fri Mar 26, 2021 4:05 pm

The Machine cert behaves as expected, but the User cert doesn't.

Because it is not there.

See --cryptoapicert in the manual.

You need to export certificate from computer store and import to my certificate store so when it run Openvpn can find certificate on user personal store.At the moment the ADCA only push down to certificate to computer certificate store only . you can find the way to use gpedit.msc and create a policy and push that certificate down so it can work for you.

300000 wrote: ↑

Sat Mar 27, 2021 11:56 am

You need to export certificate from computer store and import to my certificate store so when it run Openvpn can find certificate on user personal store.At the moment the ADCA only push down to certificate to computer certificate store only . you can find the way to use gpedit.msc and create a policy and push that certificate down so it can work for you.

TinCanTech wrote: ↑

Fri Mar 26, 2021 4:38 pm

Because it is not there.

We have a policy to push both certificates. The computer cert gets pushed at system boot and the user certificate is pushed at user login...

For example - on my laptop, I've checked in my personal store, and it's there, generated by ADCA, with all the details specified...

ADCA User Certificates - https://www.dropbox.com/s/r7amszgkwikfstx/1.png?dl=0
Certificate: General - https://www.dropbox.com/s/p5tbgqdgpfhn91o/2.png?dl=0
Certificate: Properties - https://www.dropbox.com/s/atelcog4vzze0xy/3.png?dl=0
Certificate: Chain - https://www.dropbox.com/s/rfhea0a65xmkyzm/4.png?dl=0

I'm informed that looking for the "SUBJ:" certificate will just match any detail from the subject line of the certificate from the user store?

TinCanTech wrote: ↑

Fri Mar 26, 2021 4:38 pm

See --cryptoapicert in the manual.

Can you point me to the area in the manual where this is documented? I'm not finding it in the Community Resources or Wiki.

Edit - I see Dropbox was blocking the image linking. I've attached shortcuts.

you need to check thumprint and write down as picture . make sure dont copy because microsoft inset a space so it not work if you copy



cryptoapicert " THUMB: 42a172b0189a8d665f3bb75830e2d5c0d54aea21"

Right, so you're suggesting that we need to manually write out the fingerprint of every cert - That's not compatible with what we're looking to do here. The idea is AD will manage and push device and user certs as they're renewed/replaced. The .ovpn is checking the against the ADCA when they are used and will allow is to revoke the cert.

This is working for the device cert. We would happily use that alone if OpenVPN GUI was able to reflect the current VPN status, but expecting users who already struggle with using laptops and the GUI in Interactive mode to restart Services if their connection stalls isn't feasible.

I guess rather than saying 'are we doing this wrong' it's more to get a diagnosis of why OpenVPN/OpenVPN GUI/OpenSSL/whatever cannot see the active user's cert. Is it unable to open the user certificate store because it's trying to open it with the wrong name? (i.e. is it using the user account name (firstname.lastname), but the subject features the principal name (i.e. firstname lastname)?)

That is how certificate work if you want to store certificate in windows store . How do openvpn call and use certificate from windows store? If you know how certificate use in Linux simple but not secure by the mean and you want secure of windows store certificate but don't want to do anything , just install Ikev2 vpn server on windows and you can have full control and renew certificate from windows .

Ikv2 vpn server in windows can do the same as openvpn if you are all windows user base . they offer better than openvpn but you need to pay license or just simple create inline certificate in windows as you do with CA public certificate so dont need to think anything about certificate store at all.

If you store certificate in windows store you must edit all the time you when you change or renew certificate that is the fact , nothing can do automatic from openvpn for you.