Windows: mTLS and Windows builtin certstore #11486
Description
Bug Report
Describe the bug
Loading client certificates from Windows built in certstore for mTLS on output plugins is not working on 4.2.2. The certificate does not seem to be presented on TLS handshake when mTLS is enforced on a remote server. Debug logging shows that the client certificate from certstore was loaded successfully: [debug] [tls] loaded 1 certificate(s) by thumbprint from 'My'.
Changing the configuration to instead load the same certificate from file, the connection is accepted.
To Reproduce
outputs:
- name: http
match: '*'
host: <ip> # host requires mTLS
port: <port>
tls: on
tls.windows.certstore_name: My # Or LocalMachine\My
tls.windows.client_thumbprints: <cert thumbprint>
Handshake fails and connection is closed. Changing only to the following configuration, TLS handshake is successful:
outputs:
- name: http
match: '*'
host: <ip> # host requires mTLS
port: <port>
tls: on
tls.crt_file: <path to exported cert>
tls.key_file: <path to exported key>
Loading trusted issuers from certstore works in both configurations, though.
Expected behavior
Successful connection to the remote host using certstore client cert.
Your Environment
- Version used: 4.2.2
- Operating System and version: Windows Server 2025
- Filters and plugins: http, winevtlog
Additional context
Exporting the certificates and keys manually to file is not feasable in this environment. It should work similarly to Fluentd.