Bug #6339


OpenVPN Client Export package option for "Use Microsoft Certificate Storage" does not specify which certificate to use

Added by Scott Bradner over 5 years ago. Updated about 1 month ago.

OpenVPN Client Export
Target version:
Start date:
Due date:
% Done:


Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:


Just spent a while tracking this down, please disregard if it's a PEBKAC issue. :)

I tried the option in the client export for "Use Microsoft Certificate Storage instead of local files.", which does have the installer correctly add the certificate to the microsoft certificate storage. However, when I try to connect with the included configuration, it seems to pick a certificate to connect with at random (which for me happened to be a domain auth certificate for my work domain, rather than the OpenVPN cert that had just gotten installed). After a bit of searching, I found that the correct certificate was being located by the following configuration directive:

cryptoapicert "SUBJ:" 

Which as I understand it searches the Microsoft Certificate Storage for any certificate with a subject...rather than the specific one just installed. :) I found ticket 386 ( over in the OpenVPN issue tracker, which documents what the submitter was able to figure out as far as what the subject format needed to be to properly locate the cert. tl;dr version:

1) Run the cert through "openssl x509 -in foo.cer -noout -subject"
2) Replace each container label other than the first (i.e. "ST=") with ", "

In my case openssl gave me a subject of:

subject= /C=US/ST=Washington/L=Newcastle/O=Superlime Industries/" 

which transformed into a config directive of:

cryptoapicert "SUBJ:US, Washington, Newcastle, Superlime Industries,, OpenVPNAuth" 

With the proper config directive in place, selecting the cert worked exactly as expected and I was able to connect successfully. Should the export package do all that transformation for the user? Otherwise, it seems fairly unlikely that the right cert would end up getting selected for the user automatically.

Actions #1

Updated by Caleb Hornbeck almost 4 years ago

Not sure if it would be easier to implement, but using this works well for me:

cryptoapicert "THUMB:<cert thumbprint>"

Actions #3

Updated by Jim Pingle about 2 years ago

  • Status changed from New to Pull Request Review
Actions #4

Updated by Renato Botelho about 2 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #5

Updated by Azamat Khakimyanov about 1 month ago

  • Status changed from Feedback to Resolved

Tested on 21.05_2 and on 22.01-BETA (built on Mon Dec 20 06:23:28 UTC 2021

I see that OpenVPN Client Export package uses full 'subject' line in openvpn exported configs.

I'll marked this Bug as resolved.


Also available in: Atom PDF