I'm trying to use CAPI engine to renew certificate which is stored in windows
certificate store (Local Computer/Personal (My)).
Loading engine dynamically and listing certificate including container works
fine. I'm also adding engine to the list of engines, but when I'm trying to use
key in following x509 command (same openssl process) it fails unable to find it.
If certificate is in Current User/My, everything works fine. My understanding
from that behaviour is that store_flags:1 set in first command (engine), do not
affect command 2 (x509) and certificate/key is being searched in the Current
User instead of Local Machine.
I cannot find the way to pass that parameter within x509 command. How this
should be done?
====== SESSION OUTPUT ============
openssl
WARNING: can't open config file: /usr/local/ssl/openssl.cnf
OpenSSL> engine -t dynamic -pre "SO_PATH:capi" -pre ID:capi -pre LIST_ADD:1
-pre LOAD -post store_flags:1 -post list_options:35 -post lookup_cert:localhost
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:capi
[Success]: ID:capi
[Success]: LIST_ADD:1
[Success]: LOAD
Loaded: (capi) CryptoAPI ENGINE
[ available ]
[Success]: store_flags:1
[Success]: list_options:35
Friendly Name "IIS Express Development Certificate"
Subject: CN = localhost
Issuer: CN = localhost
Private Key Info:
Provider Name: Microsoft RSA SChannel Cryptographic Provider, Provider Type
12
Container Name: IIS Express Development Certificate Container, Key Type 1
[Success]: lookup_cert:localhost
OpenSSL> x509 -x509toreq -engine capi -keyform engine -in localhost.cer
-signkey localhost -out localhost.req
engine "capi" set.
Loading 'screen' into random state - done
Getting request Private Key
cannot load request key from engine
12852:error:26096080:engine routines:ENGINE_load_private_key:failed loading
private key:.\crypto\engine\eng_pkey.c:126:unable to load request key
error in x509
OpenSSL>
