<html>Hi<br /><br /> I am trying to use the Microsoft certificate store/API for client validation of Windows hosts towards an F5.<br /><br />Everything works, when we use file-based certificates - but for security purposes I would prefer to use the windows certificate store, and set the private key on the client as non-exportable...<br /><br />I have enabled the<br /><br />engineId = capi <br /><br />in the global section of stunnel.conf - and for the required client/service I have:<br /><am6pr03mb3813008a17e829ec3a9af2c1906b0@am6pr03mb3813.eurprd03.prod.outlook.com><div class="WordSection1"><p class="MsoNormal"><span lang="EN-US">[F5CertAdmin]<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">client=yes<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">accept = 127.0.0.1:1679<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">connect = w.x.y.z:443<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">delay = yes<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">sni = ssl79admpki.xxxx.com<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">CApath = C:\Program Files (x86)\stunnel\config\certs<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">CAFile = C:\Program Files (x86)\stunnel\config\certs\GlobalSign-Cert-Chain.pem<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">verify = 2<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">engineId = capi<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">key = BaaSClientCertificateCP<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US">cert = BaaSClientCertificateCP<o:p></o:p></span></p><p class="MsoNormal"><span lang="EN-US"><o:p><br />I have a certificate in the local computer certificate store with the supplied name - but stunnel is not able to locate it... Is it because it will look under the user account? If yes, will it look under the local machine when running as local system ?<br /><br />The output from stunnel says:</o:p></span><br /><br />[ ] Initializing service [F5CertAdmin]<br />[ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2<br />[ ] TLS options: 0x03000004 (+0x03000000, -0x00000000)<br />[ ] Client certificate engine (capi) enabled<br />[ ] Loading certificate from engine ID: BaaSClientCertificateCP<br />[!] ENGINE_ctrl_cmd: Peer suddenly disconnected<br />[ ] Initializing private key on engine ID: BaaSClientCertificateCP<br />[!] ENGINE_load_private_key: 26096080: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key<br />[ ] Loading certificate from file: BaaSClientCertificateCP<br />[!] error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib<br />[!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib<br />[!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory<br />[!] Service [F5CertAdmin]: Failed to initialize TLS context<br /><span lang="EN-US"><o:p></o:p></span></p><p class="MsoNormal"> </p></div></am6pr03mb3813008a17e829ec3a9af2c1906b0@am6pr03mb3813.eurprd03.prod.outlook.com>Any advice appreciated...<br /><br />Thanks<br /><br />Brian<br /><style type="text/css"><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:3.0cm 2.0cm 3.0cm 2.0cm;}
div.WordSection1
{page:WordSection1;}
--></style></html>