Current Status of Windows User Certificate Store Support

Got a problem with Viscosity or need help? Ask here!

mujjy

Posts: 1
Joined: Mon Sep 06, 2021 5:52 pm

Post by mujjy » Mon Sep 06, 2021 6:01 pm
Hi,

I would like to know if there is been any progress to having viscosity access to the Windows built-in certificate store at the user level? or anything coming in the future?

Issue
cryptoapicert can only access the MACHINE store and the service account user store.

Our use case:
Certificates are issued by ADCS to the users automatically and are stored in their personal store.
OpenVPN server checks the username against the certificate CN
User-level certificates can be easily revoked.

Thank you in advance!

Eric

User avatar
Posts: 1146
Joined: Sun Jan 03, 2010 3:27 am

Post by Eric » Mon Sep 06, 2021 6:17 pm
Hi mujjy,

The cryptoapicert command will check both the System/Machine store, and the user who is running Viscosity, this has been the case for some time with Viscosity.

The service will first check the system store for a matching credential, if it is not found, you should see the following in the log, and then Viscosity will check the local users store for a matching credential:
Code: Select all
Failed to find object in LocalMachine/Administrator CryptoAPI. Falling back to search CurrentUser...
You will need to ensure there are no matching certificates in the machine store, and that Viscosity.exe is running as the correct user.

Just to clarify as well, a credential must be stored to work with the cryptoapicert command, i.e. a PFX/P12 file containing both the users certificate and key, not just a certificate.

If you're having issues, please feel free to post a complete copy of your log - https://sparklabs.com/support/kb/articl ... ed-logging

Regards,
Eric
Eric Thorpe
Viscosity Developer

Web: http://www.sparklabs.com
Support: http://www.sparklabs.com/support
Twitter: http://twitter.com/sparklabs
2 posts Page 1 of 1