Bug #6339
closedOpenVPN Client Export package option for "Use Microsoft Certificate Storage" does not specify which certificate to use
100%
Description
Just spent a while tracking this down, please disregard if it's a PEBKAC issue. :)
I tried the option in the client export for "Use Microsoft Certificate Storage instead of local files.", which does have the installer correctly add the certificate to the microsoft certificate storage. However, when I try to connect with the included configuration, it seems to pick a certificate to connect with at random (which for me happened to be a domain auth certificate for my work domain, rather than the OpenVPN cert that had just gotten installed). After a bit of searching, I found that the correct certificate was being located by the following configuration directive:
cryptoapicert "SUBJ:"
Which as I understand it searches the Microsoft Certificate Storage for any certificate with a subject...rather than the specific one just installed. :) I found ticket 386 (https://community.openvpn.net/openvpn/ticket/386) over in the OpenVPN issue tracker, which documents what the submitter was able to figure out as far as what the subject format needed to be to properly locate the cert. tl;dr version:
1) Run the cert through "openssl x509 -in foo.cer -noout -subject"
2) Replace each container label other than the first (i.e. "ST=") with ", "
In my case openssl gave me a subject of:
subject= /C=US/ST=Washington/L=Newcastle/O=Superlime Industries/emailAddress=xxx@xxx.xxx/CN=OpenVPNAuth"
which transformed into a config directive of:
cryptoapicert "SUBJ:US, Washington, Newcastle, Superlime Industries, xxx@xxx.xxx, OpenVPNAuth"
With the proper config directive in place, selecting the cert worked exactly as expected and I was able to connect successfully. Should the export package do all that transformation for the user? Otherwise, it seems fairly unlikely that the right cert would end up getting selected for the user automatically.
Updated by Caleb Hornbeck about 6 years ago
Not sure if it would be easier to implement, but using this works well for me:
cryptoapicert "THUMB:<cert thumbprint>"
Updated by Viktor Gurov over 4 years ago
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Azamat Khakimyanov over 2 years ago
- Status changed from Feedback to Resolved
Tested on 21.05_2 and on 22.01-BETA (built on Mon Dec 20 06:23:28 UTC 2021
I see that OpenVPN Client Export package uses full 'subject' line in openvpn exported configs.
I'll marked this Bug as resolved.