Hi I am trying to use the Microsoft certificate store/API for client validation of Windows hosts towards an F5.
Everything works, when we use file-based certificates - but for security purposes I would prefer to use the windows certificate store, and set the private key on the client as non-exportable... I have enabled the engineId = capi in the global section of stunnel.conf - and for the required client/service I have: [F5CertAdmin] client=yes accept = 127.0.0.1:1679 connect = w.x.y.z:443 delay = yes sni = ssl79admpki.xxxx.com CApath = C:\Program Files (x86)\stunnel\config\certs CAFile = C:\Program Files (x86)\stunnel\config\certs\GlobalSign-Cert-Chain.pem verify = 2 engineId = capi key = BaaSClientCertificateCP cert = BaaSClientCertificateCP I have a certificate in the local computer certificate store with the supplied name - but stunnel is not able to locate it... Is it because it will look under the user account? If yes, will it look under the local machine when running as local system ? The output from stunnel says: [ ] Initializing service [F5CertAdmin] [ ] Ciphers: HIGH:!DH:!aNULL:!SSLv2 [ ] TLS options: 0x03000004 (+0x03000000, -0x00000000) [ ] Client certificate engine (capi) enabled [ ] Loading certificate from engine ID: BaaSClientCertificateCP [!] ENGINE_ctrl_cmd: Peer suddenly disconnected [ ] Initializing private key on engine ID: BaaSClientCertificateCP [!] ENGINE_load_private_key: 26096080: error:26096080:engine routines:ENGINE_load_private_key:failed loading private key [ ] Loading certificate from file: BaaSClientCertificateCP [!] error queue: 140DC002: error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib [!] error queue: 20074002: error:20074002:BIO routines:FILE_CTRL:system lib [!] SSL_CTX_use_certificate_chain_file: 2001002: error:02001002:system library:fopen:No such file or directory [!] Service [F5CertAdmin]: Failed to initialize TLS context @am6pr03mb3813.eurprd03.prod.outlook.com>Any advice appreciated... Thanks Brian
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
