Hello I posted the follow question here, and was redirect to this
mailing list for support.
https://forums.openvpn.net/viewtopic.php?t=35445
I've been trying to find a way for OpenVPN to detect the correct cert in
the windows certstore using the issuer and specifying our internal CA. I
found it is possible to use cryptoapicert ISSUER: according to this code
on github.. https://github.com/OpenVPN/openvpn/blob ... ryptoapi.c with
the following section:
CODE: SELECT ALL
find_certificate_in_store(const char *cert_prop, HCERTSTORE
cert_store)
{
/* Find, and use, the desired certificate from the store. The
* 'cert_prop' certificate search string can look like this:
* SUBJ:<certificate substring to match>
* THUMB:<certificate thumbprint hex value>, e.g.
* THUMB:f6 49 24 41 01 b4 fb 44 0c ce f4 36 ae d0 c4 c9 df 7a
b6 28
* The first matching certificate that has not expired is returned.
*/
const CERT_CONTEXT *rv = NULL;
DWORD find_type;
const void *find_param;
unsigned char hash[255];
CRYPT_HASH_BLOB blob = {.cbData = 0, .pbData = hash};
struct gc_arena gc = gc_new();
if (!strncmp(cert_prop, "SUBJ:", 5))
{
/* skip the tag */
find_param = wide_string(cert_prop + 5, &gc);
find_type = CERT_FIND_SUBJECT_STR_W;
}
else if (!strncmp(cert_prop, "ISSUER:", 7))
{
find_param = wide_string(cert_prop + 7, &gc);
find_type = CERT_FIND_ISSUER_STR_W;
}
else if (!strncmp(cert_prop, "THUMB:", 6))
{
find_type = CERT_FIND_HASH;
find_param = &blob;
blob.cbData = parse_hexstring(cert_prop + 6, hash,
sizeof(hash));
if (blob.cbData == 0)
{
msg(M_WARN|M_INFO, "WARNING: cryptoapicert: error parsing
<%s>.", cert_prop);
goto out;
}
}
else
{
msg(M_NONFATAL, "Error in cryptoapicert: unsupported certificate
specification <%s>", cert_prop);
goto out;
}
Am I wrong in assuming ISSUER: is a search parameter under
cryptoapicert?
I've tried it in a lab and receive the message *"unsupported certificate
specification <ISSUER:....>"*
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users