How to import an OpenSSL key file into the Windows Certificate Store

10
votes

I've got an OpenSSL generated X.509 certificate in PEM format and it's associated key file. This certificate is required for authentication when connecting to a prototype server. This works fine on Linux. I've been using the Microsoft SChannel API to drive SSL/TLS connections on Windows platforms but I want to use the same test certificate. I can right-click on the certificate file and import it into my certificate store but I believe that the private key is not imported with it (even though I've concatenated them into the same file).

When I go to run the SChannel code, I get a 'SEC_E_NO_CREDENTIALS' error when I init the security context (via InitializeSecurityContext). I suspect this means that the private key is missing.

Does anyone know how to test the presence or absence of a private key in a certificate which is located in the Personal (or 'My') certificate store, accessed via 'certmgr.msc'?. Is it possible to import a new key file for a certificate in the store?

Any insight or advice would be much appreciated.

1
windowsopensslx509schannel
What a cute puzzle, I'm still trying to find the C++ question in there...Daniel Frey
Fair point, I've removed the tagGearoid Murphy

1 Answers

11
votes

To test if private key is installed for the certificate, double click the certificate icon in certmgr.msc. If it has private key, it will show a message in the property page that you have private key, otherwise it will not give any reference the the private key.

Certificate with a private key

To import the certificate with its private key, you can do the following:

  1. Pack the certificate and its private key into a PKCS #12 file or PFX file using openssl pkcs12. Here's an example.
  2. Import this PKCS #12 or PFX file into the certificate store.

Note that you may see errors when importing the pfx file, such as 'This file is invalid for use as the following: Personal Information Exchange'. This error was caused by the certificate lacking to appropriate X.509 v3 extensions (such as the usage fields (digital signature, etc))