Cannot load certificate after password change on AD

[skodde]

Hi,

I've successfully tested a configuration in which the client certificate is installed in the Current User store on Windows and it is retrieved via the cryptoapicert option.

Everything works fine on Windows 7 and 10 with OpenVPN 2.4.0 and previous versions, however, as soon as the AD user changes their password (on the same local machine), OpenVPN cannot load the certificate anymore.

This is the error I get:

OpenSSL:error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Key not valid for use in specified state.
Cannot load certificate "THUMB:xx ... xx" from Microsoft Certificate Store

The certificate is correctly present in certmgr after the password change.
I've tried locking, logging out, rebooting, shutting down, nothing helps.
After reinstalling the certificate, everything works perfectly fine again.

The error is always reproducible in different scenarios, connected to the AD network directly or via OpenVPN.

I expect everything would work using the Local Machine store, but I need to use the Current User one.

Thanks!

[Selva Nair]

Looks like the private key is not readable after password change. Windows use DPAPI to encrypt private key and somehow the user's master key used for that may not be getting re-wrapped after a password change.

I do not think this is a problem with OpenVPN -- cryptoapicert does work with domain users.

[skodde]

I can confirm that the issue is related to this Samba bug (fixed as of version 4.2.0): ​https://bugzilla.samba.org/show_bug.cgi?id=10980

[Gert Döring]

So if I'm reading this right, we can close this ticket as the bug is elsewhere?

[skodde]

Replying to cron2:

So if I'm reading this right, we can close this ticket as the bug is elsewhere?

Yes, thanks to #openvpn-devel for helping figure this out!