Hi Ferenc,
On 23/11/20 13:03, Ferenc Gerlits via openssl-users wrote:
Hi,
I am trying to use openssl to implement a client-side TLS connection
with Client Authentication on Windows, using a non-exportable private
key stored in the Windows Certificate Store. Currently, our code can
use a private key stored in a local file, and if the key in the
Windows store was exportable, I could export it and use it in the
existing code. But the key is non-exportable, which is a problem.
Does anyone know how to do this?
So far, I have found suggestions to use the CAPI engine (eg.
https://groups.google.com/g/mailing.openssl.users/c/_rdJLc7emAY?pli=1),
but no examples of how to do that, and also some tickets (eg.
https://github.com/openssl/openssl/issues/12859) which say that the
CAPI engine does not work with TLS >= 1.2 on openssl 1.1.1, so that
doesn't look like a good solution.
OpenVPN 2.4+ can use the Windows Certificate Store to encrypt and sign
traffic using CNG (Crypto Next Gen, I believe). I'd suggest you download
the source code and examine the file cryptoapi.c for details.
HTH,
JJK
