Unable to use company internal issued certificate in windows certificate store when performing TLS


I am trying to use K6 to load test our an internal service, that is using a company internally created certificate authority issued certificates. The certificate is stored inside the local machine’s windows certificate store, and it does not allow the export of the private key out.

Using K6 without specifying the “tlsAuth” section inside the “options” will lead to call failure error: “Internal error while receiving credentials” (this error is sent by our server). It seems that K6 won’t able to take the private key out of the windows certificate store.

Even though we don’t have the clear text private key, we do have a private key id file (the thumbprint of the cert, something like this: “engine:e_ncrypt:machine:my:AAAAAABBBBBBCCCCCCDDDDDDEEEEEEFFFFFFGGGG” (the thumbprint is replaced), and access to the PEM file of the public cert. Based on my co-worker, the certificate can be accessed via OpenSSL ncrypt engine (OpenSSL commands with the engine(s) — OpenSSL CNG Engine documentation)

It seems K6 only supports specifying the clear text private key, this is considered insecure to store the private key in clear text. So my questions are:

  1. Is it possible to add support to access windows certificate store giving the private key id and the public cert in pem format?
  2. Is this something can be added via K6 extensions (Go or Javascript)? Or due to authentication is a core functionality of K6, that it can only be added by modifying K6 code base directly?

Thanks a lot!

Hi @xiananfan, welcome to the community forum.

I have basically no idea how " local machine’s windows certificate store" works but it’s likely that it isn’t supported.

As for password protected keys- this also isn’t :(. It has been asked about before but nobody has opened an issue.

All in all I do think tlsAuth is pretty badly designed, and we will need this feature to be implemented in order for this to be more reasonable.

For your particular case maybe a smaller fix can be made to tlsauth so please open an issue (or two separate ones).

I don’t think that is possible or at least it will be really hackish like editing lib.State which likely will be broken in a future update in some way :wink:

Hi @mstoykov ,

Thank you for your reply, I will try to create 2 issues: 1. supporting using “passphrase” protected private key 2. for windows platform, add support to access private key from windows certificate store with the id of the private key, so no cleartext private key is needed.

There seems to a be a golang library from google that is doing windows cert store access: just for reference: https://github.com/google/certtostore/blob/master/certtostore_windows.go

Created the following 2 issues: