[stunnel-users] stunnel and CAPI on Windows
Małgorzata Olszówka
Malgorzata.Olszowka at stunnel.org
Tue Jun 5 09:46:18 CEST 2018
W dniu 23.05.2018 o 11:16, Brian Ipsen pisze:
> I am trying to use the Microsoft certificate store/API for client
> validation of Windows hosts towards an F5.
>
> Everything works, when we use file-based certificates - but for security
> purposes I would prefer to use the windows certificate store, and set
> the private key on the client as non-exportable...
>
> engineId = capi
> [F5CertAdmin]
> client=yes
> accept = 127.0.0.1:1679
> connect = w.x.y.z:443
> delay = yes
> sni = ssl79admpki.xxxx.com
> CApath = C:\Program Files (x86)\stunnel\config\certs
> CAFile = C:\Program Files
> (x86)\stunnel\config\certs\GlobalSign-Cert-Chain.pem
> verify = 2
> engineId = capi
> key = BaaSClientCertificateCP
> cert = BaaSClientCertificateCP
>
Hello Brian,
With the CAPI engine you don't need to manually select the client key to
use. Don't use key and cert options. The client key is automatically
selected based on the list of CAs trusted by the server.
Regards,
Małgorzata
More information about the stunnel-users
mailing list