Certificate in Windows Certificate Store

Got a problem with Viscosity or need help? Ask here!

freddy1975

Posts: 2
Joined: Mon Mar 11, 2013 8:23 pm

Post by freddy1975 » Mon Mar 11, 2013 8:58 pm
Hi,

I saved my client certificate in the Windows Certificate Store and use the command <cryptoapicert "SUBJ:client2"> in the ovpn-configuration file. This works with OpenVPN 2.2.2 and OpenVPN GUI.

When I try to start this configuration with Viscosity the connection fails and I can see the following error in the log file: "Cannot load certificate "SUBJ:client2" from Microsoft Certificate Store: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Das Zertifikat und der private Schlüssel für die Entschlüsselung wurden nicht gefunden." Viscosity works fine, when the certificate files are in the file system (ca *.crt / key client2.key / cert client2.crt in the configuration file).

I'm working with Windows 7 64bit. I saved the client certificates in Windows Certificate Store in the personal certificate store and in the computer's certificate store. Even it's not necessary for OpenVPN 2.2.2 I saved the ca certificate in
the Trusted Root Certification Authorities. I also tried to start Viscosity with administrator privileges.

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Mar 11, 2013 10:01 pm
Hi freddy1975,

No matter what user you run Viscosity with, OpenVPN is going to be started as the user SYSTEM by ViscosityService, so storing the certificates in Personal probably isn't going to work (even though it should).

The error you are getting indicates that there is something wrong with the certificate, specifically that it cannot find the certificate or private key to decrypt your certificate with. The CA file will be required in order for your certificate to be usable unless you are using a p12 bundle.

The best thing to try first is to delete all copies of all your certificates relating to your OpenVPN connection and then store a single working copy of them in the Trusted People container (off memory this is accessible to all users). Also try setting Viscosity to use OpenVPN 2.2 as you had this working successfully before. To do this, open Viscosity Preferences, go to the Advanced tab and select 2.2 in the OpenVPN version drop down.

Let us know if any of this helps.

Regards,

Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

freddy1975

Posts: 2
Joined: Mon Mar 11, 2013 8:23 pm

Post by freddy1975 » Wed Mar 13, 2013 2:26 am
Hi Eric,

thanks for your quick reply.

The problem seems to be a little bit strange. I guess it's a problem with windows rights management.

As you told me, I deleted all OpenVPN related certificates and stored it first in My Trusted People Container and tried it. After that I moved the certificate to my computer's Trusted People Container which didn't work as well (I tried this with Automatic, V 2.2 and V 2.3 OpenVPN configuration in Viscosity). By the way my separate OpenVPN 2.2.2 installation didn't work either with the certificates in the Trusted People Container.

So I put the certificate back to My Personal Container and started the Viscosity service with my user rights (admin). This
solution works. But I'd rather start it with system rights as preconfigured.

Do you have any ideas?

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Thu Mar 21, 2013 2:09 pm
Hi freddy1975,

I apologise for the delayed reply.

Unfortunately running the service as Admin might be the only way at the moment unless you can locate a certificate store that the System user can access and read. I've gone through the MS Documentation about the Certificate Manager and have found nothing that points me to a solution.

We will also do some investigation to see if we can allow an option for OpenVPN to be started as a particular user rather than System to allow a solution to this down the line.

Regards,

Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs

Flamme_2

Posts: 1
Joined: Fri Apr 24, 2020 12:29 am

Post by Flamme_2 » Fri Apr 24, 2020 1:01 am
Hi everybody.

I have the same problem and I found a workaround.
Yes, I known, this post is outdated, but Google return this post in first result if you search this :
"cryptoapicert can't find crypto api viscosity"

And, if like me you have the problem, you can try fix by follow theses steps :

1- Import your certificat in your Certificate data store. For the test, I have imported both, in User and Computer Datastore.

2 - Configure in Viscosity, cryptoapicert option to use THUMB instead SUBJ

Like this :
cryptoapicert "THUMB:c01........"

See documentation here :
https://www.sparklabs.com/support/kb/ar ... ptoapicert

3 - Try to connect
For me, it's work only with THUMB not with SUBJ

How find THUMB ?
You can find THUMB in your certificate data store :
1 - Execute "mmc" console
2 - File > Add/Remove > Certificates > Add > OK
3 - Go to Personal > Certificates > "Your certificate"
4 - Go to tab "Detail", in end of list get and copy value of "Thumbprint"
5 - Replace cryptoapicert line by
cryptoapicert "THUMB:<value of Thumbprint>"
5 posts Page 1 of 1