Hello, I'm trying to use stunnel in server mode with certificates from the Windows Certificate Store. I have a basic configuration which is working with a PEM certificate file and I'm trying to get it to use a cert via the CAPI engine. Here is my basic (working) config: debug = debug output = C:\stunnel\stunnel.log options = -NO_SSLv3 [https] accept = 443 connect = 80 cert = stunnel.pem Here is my config using the CAPI engine: debug = debug output = C:\stunnel\stunnel.log engine = capi engineCtrl = debug_level:2 engineCtrl = debug_file:c:\stunnel\capi.log engineCtrl = store_flags:1 engineCtrl = list_certs options = -NO_SSLv3 [https] accept = 443 connect = 80 engineId = capi However stunnel does not seem to find a certificate to use: [...] 2018.03.06 10:22:05 LOG7[main]: Enabling support for engine "capi" 2018.03.06 10:22:05 LOG7[main]: Executing engine control command debug_level:2 2018.03.06 10:22:05 LOG7[main]: Executing engine control command debug_file:c:\stunnel\capi.log 2018.03.06 10:22:05 LOG7[main]: Executing engine control command store_flags:1 2018.03.06 10:22:05 LOG7[main]: Executing engine control command list_certs 2018.03.06 10:22:05 LOG7[main]: Initializing engine #1 (capi) 2018.03.06 10:22:05 LOG6[main]: Engine #1 (capi) initialized [...] 2018.03.06 10:22:05 LOG6[main]: Initializing service [https] 2018.03.06 10:22:05 LOG7[main]: Ciphers: HIGH:!DH:!aNULL:!SSLv2 2018.03.06 10:22:05 LOG7[main]: TLS options: 0x01004004 (+0x03004000, -0x02000000) 2018.03.06 10:22:05 LOG7[main]: No certificate or private key specified [...] And I have no certificates listed in the CAPI debug log: Setting debug level to 2 Setting debug file to c:\stunnel\capi.log Setting flags to 1 Listing certs for store MY Opening certificate store MY capi_cert_get_fname When I load the engine via OpenSSL, I can see that a certificate is present in the store: C:\stunnel\bin>openssl.exe engine -t dynamic -pre "SO_PATH:C:\stunnel\engines\capi.dll" -pre LOAD -post store_flags:1 -post store_name:MY -post list_certs WARNING: can't open config file: /devel/win32/openssl/openssl.cnf (dynamic) Dynamic engine loading support [Success]: SO_PATH:C:\stunnel\engines\capi.dll [Success]: LOAD Loaded: (capi) CryptoAPI ENGINE [ available ] [Success]: store_flags:1 Certificate 0 Friendly Name "test" Subject: CN = test Issuer: CN = test [Success]: list_certs This certificate (and the associated private key) has been generated via the IIS Manager console and I have imported it in the Local Computer Store (with the private key). Does anybody have any idea what I am missing to get this to work ? I can provide more logs and run more tests if necessary. I'm using Stunnel 5.44 on Windows 2008 R2. I tried with an older version (5.40) but same problem. Thanks. Kevin