Mathias Sundman wrote:
So, what you're saying is that if I import a non encrypted private key to into the IeCertStore, it will be saved in cleartext on my system?
I hope not! if your import a non-encrypted private key, the system or another program that need access to your private key will be able to using the MS cryptoapi. The way windows physically store the certs/keys is not the matter for our purpose.
Again, I thought one of the benefits with using the CryptoStore was that windows protected the key by encrypting it with the normal user logon credentials somehow.
Perhaps, but if an application need to access to your key, which is not intentionnaly protected, windows will give access to this key. It does on my system, I haven't to give any password to give access to my key.
If what you say is true, then an originally unencypted private key imported to the CertStore, can almost as easily as a file, be retrieved from a stolen laptop's harddrive.
If the guy has admin access, probably. that's why using a smart card is better ;-)
Are you sure about that?
Just test it. Make a p12 with a non-protected private key and try to start a tunnel with openvpn, it will start without any password.
Now What I am saying is not that the file contain a non-encrypted key, maybe windows crypted it with a user account based password, but get the key is transparent.
____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users