(cryptoapicert?) RESOLVED

  • so.. despite having not much experience w/ VPNs (been running m0n0wall w/ a PPTP server /w radius authentication for about 1yr…. pretty dang easy to set up)

    I recently started messing w/ pfsense to try it out vs m0n0wall... I was kinda excited by the OpenVPN capabilities and wanted to have a go with securing my wifi over OpenVPN

    using the outbound NAT and push "redirect-gateway def1"; i know seem to have succeded in getting OpenVPN up and running and routing everything over the VPN

    (along with pushing DNS and WINS to my win2k3 server... i have access to the LAN from the Wifi interface)

    I'm pretty happy w/ myself for getting this much working after messing w/ it for a "few" hours  :)

    BUT... there is something I can't for the life of me figure out


    the documentation has been apparently not enough for my "limited" understanding of CAs / keys... the Windows CA store... to get this going

    I imported my client key to the "Local Computer / Personal" and my .ovpn client config looks like this

    port 1194
    dev tun
    dev-node monkeybase
    proto tcp-client
    remote XXXX.com 1194
    ping 10
    ca ca.crt
    cryptoapicert "THUMB:05 28 ......"
    #key client2.key
    ns-cert-type server
    verb 4

    but it gets a error message

    Sun Oct 21 17:13:07 2007 us=188717 Cannot load certificate "THUMB:05 28 ....." from Microsoft Certificate Store: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Cannot find the certificate and private key for decryption.
    Sun Oct 21 17:13:07 2007 us=408817 Exiting

    sooo... I'm apparently doing something wrong w/ importing the ca to the windows store... can anyone expand on this process as it is pretty "vague" in the documentation... (maybe the "rightfully" expect u to have more of an idea what you are doing if you are trying this.... :)  but i don't so .... if someone could possibly help me out that would be super and most appriciated.

    best regards and thank you for taking the time to read this.


    I was apparently not aware i need to use openSSL to make a PKCS12 file for the ca /key

    anyways in case anyone else is searching later and confused about the cryptoapicert thing


    is the article that got me going.

    Best Regards

Log in to reply