I am trying to use K6 to load test our an internal service, that is using a company internally created certificate authority issued certificates. The certificate is stored inside the local machine’s windows certificate store, and it does not allow the export of the private key out.
Using K6 without specifying the “tlsAuth” section inside the “options” will lead to call failure error: “Internal error while receiving credentials” (this error is sent by our server). It seems that K6 won’t able to take the private key out of the windows certificate store.
Even though we don’t have the clear text private key, we do have a private key id file (the thumbprint of the cert, something like this: “engine:e_ncrypt:machine:my:AAAAAABBBBBBCCCCCCDDDDDDEEEEEEFFFFFFGGGG” (the thumbprint is replaced), and access to the PEM file of the public cert. Based on my co-worker, the certificate can be accessed via OpenSSL ncrypt engine (OpenSSL commands with the engine(s) — OpenSSL CNG Engine documentation)
It seems K6 only supports specifying the clear text private key, this is considered insecure to store the private key in clear text. So my questions are:
Is it possible to add support to access windows certificate store giving the private key id and the public cert in pem format?
Is this something can be added via K6 extensions (Go or Javascript)? Or due to authentication is a core functionality of K6, that it can only be added by modifying K6 code base directly?
Thank you for your reply, I will try to create 2 issues: 1. supporting using “passphrase” protected private key 2. for windows platform, add support to access private key from windows certificate store with the id of the private key, so no cleartext private key is needed.