[stunnel-users] stunnel and CAPI on Windows

Małgorzata Olszówka Malgorzata.Olszowka at stunnel.org
Tue Jun 5 09:46:18 CEST 2018


W dniu 23.05.2018 o 11:16, Brian Ipsen pisze:
>   I am trying to use the Microsoft certificate store/API for client 
> validation of Windows hosts towards an F5.
> 
> Everything works, when we use file-based certificates - but for security 
> purposes I would prefer to use the windows certificate store, and set 
> the private key on the client as non-exportable...
> 
> engineId = capi

> [F5CertAdmin]
> client=yes
> accept = 127.0.0.1:1679
> connect = w.x.y.z:443
> delay = yes
> sni = ssl79admpki.xxxx.com
> CApath = C:\Program Files (x86)\stunnel\config\certs
> CAFile = C:\Program Files 
> (x86)\stunnel\config\certs\GlobalSign-Cert-Chain.pem
> verify = 2
> engineId = capi
> key = BaaSClientCertificateCP
> cert = BaaSClientCertificateCP
> 

Hello Brian,
With the CAPI engine you don't need to manually select the client key to 
use. Don't use key and cert options. The client key is automatically 
selected based on the list of CAs trusted by the server.

Regards,
Małgorzata


More information about the stunnel-users mailing list