OpenVPN Ver 2.6.12 Connectivity Issue with OpenVPN Connect V3

[Cancer-zern]

There was an issue with OpenVPN V 2.6.12 logs are mentioned below

Logs:
2024-11-04 11:35:49 Error in cryptoapicert: failed to acquire key. Key not present or is in a legacy token not supported by Windows CNG API: Keyset does not exist (errno=-2146893802)

Troubleshooting:
We face that issue when we have both applications on the same PC. After connecting OpenVPN Connect V3, we will get this error in OpenVPN V 2.6.12.

1. We install the OpenVPN V 2.6.12 and install the certificate.
2. Check the connectivity, and it's connected.
3. Install OpenVPN Connect V3.
4. Create the Profile import configuration, install, and select the certificate for the profile.
5. Check the connectivity for OpenVPN Connect V3, and it's connected.
6. Then disconnect OpenVPN Connect V3 go back to OpenVPN V 2.6.12 and try to connect and we are getting that error.
7. Just delete the certificate from MMC and install it again.
8. Check the connection for OpenVPN V 2.6.12 and its connection.

Note:
We don't have this error while using OpenVPN V 2.4./2.5. with OpenVPN Connect V3.

[selvanair]

Are you running OpenVPN from command line as administrator or from OpenVPN-GUI as limited user or some other way?

When the key stops working (after Connect V3 install), could you check whether the certificate shows as private key available? If the certificate is in the machine store, also check that permissions on the private key does not change.

[Cancer-zern]

I'm using OpenVPN-Gui run by my user account (run no as Admin) and install certificate for my user by certmgr.msc

[selvanair]

I'm using OpenVPN-Gui run by my user account (run no as Admin) and install certificate for my user by certmgr.msc

Check the private key associated with the certificate is still present in user store or not after the Connect V3 install.

[Cancer-zern]

Yep, still present

[selvanair]

Yep, still present

I'm out of ideas. You may want to check whether the cert and key is accessible as user using, say, powershell. Something must be changing when Connect V3 is installed and the certificate is linked -- I do not use Connect so I have no way to reproduce this.

[schwabe]

I asked the OpenVPN Connect team they have an idea what could cause this issue and their response is the following:

If OpenVPN 2.x uses same “OpenVPN Certificate Store" certificate store, then - yes. We migrated to "newer" Windows API for working with certificates, and we automatically migrate all the certificates in the "OpenVPN Certificate Store" store to non-exportable and using new CSP - "Microsoft Software Key Storage Provider" which supposed to be more secure. It is possible that after this migration it would not be possible to use them using old API, and CNG API must be used (https://learn.microsoft.com/en-us/windows/win32/seccng/cng-portal).

This certificate migration is done only when upgrading the Connect app. And also the new API that we use can still work with exportable certificates stored in older CSP. So if user has these certificates somewhere in the files, he/she can try to clear the store and add them again using windows GUI, and theoretically they should work in both app, if this is the reason for the issue.

That does not really answer the question why it is not working in this case but it indicates that there are scenarios where OpenVPN Connect messes with the keys it uses.

[schwabe]

One question that came back is what specific version of OpenVPN Connect you are using since the statement that I written before only applies to the latest 3.5.0 version of Connect. Older version used the older API.

[selvanair]

In OpenVN~-GUI~ we use CNG API so that could not be the issue. In fact the user says 2.4 works(!) which was probably using the legacy API. Also, we do not look for certificates in "OpenVPN Certificate Store" -- we only scan system stores for current-user and local machine.

If OpenVPN Connect only migrates certificates in its own custom store, I suppose it should not affect us. We'll need to reproduce this to know what exactly is going on.

[selvanair]

Regarding use of CNG API:

The fact that 2.4 works and 2.6 does not, to me it appears the opposite to be the case: in 2.6 we only support CNG keys, not legacy ones. Does older Connect versions move the key to a legacy provider?

@Cancer-zern on re-installing the certificate, does it work under both Connect and OpenVPN-GUI ?

[Cancer-zern]

One question that came back is what specific version of OpenVPN Connect you are using since the statement that I written before only applies to the latest 3.5.0 version of Connect. Older version used the older API.

I will check it today and let you know

[Cancer-zern]

Regarding use of CNG API:

The fact that 2.4 works and 2.6 does not, to me it appears the opposite to be the case: in 2.6 we only support CNG keys, not legacy ones. Does older Connect versions move the key to a legacy provider?

@Cancer-zern on re-installing the certificate, does it work under both Connect and OpenVPN-GUI ?

yep, if I re-install certificate for windows certificate storage as certmgr.msc then 2.6.* start working and connect also working with same certificate what I've installed before.

But if I will install new certificate to OpenVPN connect, then all certificates for 2.6.* stop working again.
Each time when I have to install new certificates to OpenVPN connect v3.5.0 old version 2.6.* stop working with all certificates.
Not affecting if 2.4 or 2.5

[Cancer-zern]

1. I've installed OpenVPN 2.6.12 and then certificate - connect to the server side its's working
2. Then install OpenVPN connect 3.5.0 then install certificate for v3 - connect working fine
3. After that I check connection for OpenVPN 2.6.12 it's not working same error
4. Remove OpenVPN connect 3.5.0 and restart PC, it's still same error.
5. Re-install certificate for certmgr.msc it's working again for v2.6.12

[Cancer-zern]

1. I've installed OpenVPN 2.6.12 and then certificate - connect to the server side its's working
2. Then install OpenVPN connect 3.5.0 then install certificate for v3 - connect working fine
3. After that I check connection for OpenVPN 2.6.12 it's not working same error
4. Remove OpenVPN connect 3.5.0 and restart PC, it's still same error.
5. Remove OpenVPN 2.6.12 and install OpenVPN 2.4.12 it's working without certificate re-install

[Cancer-zern]

OpenVPN 2.6.12 and OpenVPN-Connect V3.4.4 is working fine together

[selvanair]

I could not reproduce this with Connect 3.5.1 (A 100 MB download and 300 MB installed space -- ahem) and OpenVPN 2.6.11 (also tried git master version).
OS: Windows 10 Education

Uploaded the same certificate as used by OpenVPN 2.6 via cryptoapicert option into Connect V3 --- it adds the certificate and key into a custom store named "OpenVPN Certificate Store" as @schwabe mentioned. AFAICS The certificate in the default store that we use is unaffected and continues to work with OpenVPN 2.6.

I did not test how Connect 3.5.0 behaves.

See screenshots below showing certificates in the two stores -- here I'm using the one named "mra.." that can be seen to be present in two stores.

[Cancer-zern]

Windows 11 Enterprise
openvpn 2.6.12
openvpn-connect-3.5.1.3946

Same error as before
Error in cryptoapicert: failed to acquire key. Key not present or is in a legacy token not supported by Windows CNG API: Keyset does not exist (errno=-2146893802)

1. We install the OpenVPN V 2.6.12 and install the certificate for certmgr.msc and import profile
2. Check the connectivity, and it's connected.
3. Install openvpn-connect-3.5.1.3946
4. Install certificate for openvpn-connect-3.5.1.3946
5. Try to connect from OpenVPN V 2.6.12 and we are getting that error.

Enough install certificate for openvpn-connect-3.5.1.3946 and v2.6.12 is stop working

[Cancer-zern]

Windows 10 Enterprise
openvpn 2.6.12
openvpn-connect-3.5.1.3946

Same error as before
Error in cryptoapicert: failed to acquire key. Key not present or is in a legacy token not supported by Windows CNG API: Keyset does not exist (errno=-2146893802)

1. We install the OpenVPN V 2.6.12 and install the certificate for certmgr.msc and import profile
2. Check the connectivity, and it's connected.
3. Install openvpn-connect-3.5.1.3946
4. Install certificate for openvpn-connect-3.5.1.3946
5. Try to connect from OpenVPN V 2.6.12 and we are getting that error.

Enough install certificate for openvpn-connect-3.5.1.3946 and v2.6.12 is stop working

[Cancer-zern]

I could not reproduce this with Connect 3.5.1 (A 100 MB download and 300 MB installed space -- ahem) and OpenVPN 2.6.11 (also tried git master version). OS: Windows 10 Education

Uploaded the same certificate as used by OpenVPN 2.6 via cryptoapicert option into Connect V3 --- it adds the certificate and key into a custom store named "OpenVPN Certificate Store" as @schwabe mentioned. AFAICS The certificate in the default store that we use is unaffected and continues to work with OpenVPN 2.6.

I did not test how Connect 3.5.0 behaves.

See screenshots below showing certificates in the two stores -- here I'm using the one named "mra.." that can be seen to be present in two stores.

Windows 11 Enterprise and Windows 10 Enterprise
openvpn 2.6.11
openvpn-connect-3.5.1.3946

Same error

We are checking with freshly installed OS every time

[Cancer-zern]

1. Install OpenVPN 2.6.12 and added certificate and connected and then disconnected

PS C:\Users\Test> Get-ChildItem -Path cert:\CurrentUser\My\ | Format-List -Property *

PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\D81F92BDFAD21AF57A085D24573B9EB380E003DD
PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName              : D81F92BDFAD21AF57A085D24573B9EB380E003DD
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {}
DnsNameList              : {XXX: 44244390}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName             :
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 1/25/2027 3:10:01 AM
NotBefore                : 1/25/2022 3:00:01 AM
HasPrivateKey            : True
PrivateKey               : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 4, 137...}
SerialNumber             : 5400004526200C7E45F9A11F77000100004526
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : D81F92BDFAD21AF57A085D24573B9EB380E003DD
Version                  : 3
Handle                   : 2416715395664
Issuer                   : CN=XXXXX-CA
Subject                  : CN=XXX: 44244390

2. Install openvpn-connect-3.5.1.3946 and added certificate for this application (no more)

PS C:\Users\Test> Get-ChildItem -Path cert:\CurrentUser\My\ | Format-List -Property *

PSPath                   : Microsoft.PowerShell.Security\Certificate::CurrentUser\My\D81F92BDFAD21AF57A085D24573B9EB380E003DD
PSParentPath             : Microsoft.PowerShell.Security\Certificate::CurrentUser\My
PSChildName              : D81F92BDFAD21AF57A085D24573B9EB380E003DD
PSDrive                  : Cert
PSProvider               : Microsoft.PowerShell.Security\Certificate
PSIsContainer            : False
EnhancedKeyUsageList     : {}
DnsNameList              : {XXX: 44244390}
SendAsTrustedIssuer      : False
EnrollmentPolicyEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
EnrollmentServerEndPoint : Microsoft.CertificateServices.Commands.EnrollmentEndPointProperty
PolicyId                 :
Archived                 : False
Extensions               : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
                           System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}
FriendlyName             :
IssuerName               : System.Security.Cryptography.X509Certificates.X500DistinguishedName
NotAfter                 : 1/25/2027 3:10:01 AM
NotBefore                : 1/25/2022 3:00:01 AM
HasPrivateKey            : True
PrivateKey               : System.Security.Cryptography.RSACryptoServiceProvider
PublicKey                : System.Security.Cryptography.X509Certificates.PublicKey
RawData                  : {48, 130, 4, 137...}
SerialNumber             : 5400004526200C7E45F9A11F77000100004526
SubjectName              : System.Security.Cryptography.X509Certificates.X500DistinguishedName
SignatureAlgorithm       : System.Security.Cryptography.Oid
Thumbprint               : D81F92BDFAD21AF57A085D24573B9EB380E003DD
Version                  : 3
Handle                   : 2416715396816
Issuer                   : CN=XXXXX-CA
Subject                  : CN=XXX: 44244390

[selvanair]

The powershell output "before" and "after" doesn't show any significant difference in my view. The handle change may be just because the certificate enumeration has changed after Connect added one to its custom store. All other parameters are the same and nothing to indicate why the original certificate and key could stop being usable from OpenVPN 2.6.

FWIW, I also modified OpenVPN source to use "OpenVPN Certificate Store", and that also succeeds indicating that the certificate uploaded by Connect V3 is compatible with OpenVPN 2.6. But this should not matter as we only read the store "MY" for the user and machine.

No idea how to reproduce the error you see.