Hi
I am trying to use the Microsoft certificate store/API for client validation of Windows hosts towards an F5.
Everything works, when we use file-based certificates - but for security purposes I would prefer to use the windows certificate store, and set the private key on the client as non-exportable...
I have enabled the
engineId = capi
in the global section of stunnel.conf - and for the required client/service I have:
[F5CertAdmin]
client=yes
accept = 127.0.0.1:1679
connect = w.x.y.z:443
delay = yes
sni = ssl79admpki.xxxx.com
CApath = C:\Program Files (x86)\stunnel\config\certs
CAFile = C:\Program Files (x86)\stunnel\config\certs\GlobalSign-Cert-Chain.pem
verify = 2
engineId = capi
key = BaaSClientCertificateCP
cert = BaaSClientCertificateCP
I have a certificate in the local computer certificate store with the supplied name - but stunnel is not able to locate it... Is it because it will look under the user account? If yes, will it look under the local machine when running as local system ?
The output from stunnel says:
[ ] Initializing service [F5CertAdmin] [ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2 [ ] TLS options: 0x03000004 (+0x03000000, -0x00000000) [ ] Client certificate engine (capi) enabled [ ] Loading certificate from engine ID: BaaSClientCertificateCP [!] ENGINE_ctrl_cmd: Peer suddenly disconnected [ ] Initializing private key on engine ID: BaaSClientCertificateCP [!] ENGINE_load_private_key: 26096080: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key [ ] Loading certificate from file: BaaSClientCertificateCP [!] error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib [!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib [!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory [!] Service [F5CertAdmin]: Failed to initialize TLS context
@am6pr03mb3813.eurprd03.prod.outlook.com>Any advice appreciated...
Thanks
Brian