(cryptoapicert?) RESOLVED



  • so.. despite having not much experience w/ VPNs (been running m0n0wall w/ a PPTP server /w radius authentication for about 1yr…. pretty dang easy to set up)

    I recently started messing w/ pfsense to try it out vs m0n0wall... I was kinda excited by the OpenVPN capabilities and wanted to have a go with securing my wifi over OpenVPN

    using the outbound NAT and push "redirect-gateway def1"; i know seem to have succeded in getting OpenVPN up and running and routing everything over the VPN

    (along with pushing DNS and WINS to my win2k3 server... i have access to the LAN from the Wifi interface)

    I'm pretty happy w/ myself for getting this much working after messing w/ it for a "few" hours  :)

    BUT... there is something I can't for the life of me figure out

    cryptoapicert

    the documentation has been apparently not enough for my "limited" understanding of CAs / keys... the Windows CA store... to get this going

    I imported my client key to the "Local Computer / Personal" and my .ovpn client config looks like this

    float
    
    port 1194
    
    dev tun
    
    dev-node monkeybase
    
    proto tcp-client
    
    remote XXXX.com 1194
    
    ping 10
    
    persist-tun
    
    persist-key
    
    tls-client
    
    ca ca.crt
    
    cryptoapicert "THUMB:05 28 ......"
    
    #key client2.key
    
    ns-cert-type server
    
    comp-lzo
    
    pull
    
    verb 4
    

    but it gets a error message

    
    Sun Oct 21 17:13:07 2007 us=188717 Cannot load certificate "THUMB:05 28 ....." from Microsoft Certificate Store: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Cannot find the certificate and private key for decryption.
    Sun Oct 21 17:13:07 2007 us=408817 Exiting
    

    sooo... I'm apparently doing something wrong w/ importing the ca to the windows store... can anyone expand on this process as it is pretty "vague" in the documentation... (maybe the "rightfully" expect u to have more of an idea what you are doing if you are trying this.... :)  but i don't so .... if someone could possibly help me out that would be super and most appriciated.

    best regards and thank you for taking the time to read this.

    NEVER MIND FIGURED IT OUT

    I was apparently not aware i need to use openSSL to make a PKCS12 file for the ca /key

    anyways in case anyone else is searching later and confused about the cryptoapicert thing

    http://www.informit.com/articles/article.aspx?p=387173&seqNum=9&rl=1

    is the article that got me going.

    Best Regards


Log in to reply