diff --git a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
index 9be23ed2f..71b124766 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
+++ b/src/opnsense/mvc/app/controllers/OPNsense/OpenVPN/forms/export_options.xml
@@ -45,6 +45,15 @@
         <type>checkbox</type>
         <help>Verify the server certificate name when the client connects</help>
     </field>
+    <field>
+        <id>openvpn_export.cryptoapi</id>
+        <label>Windows Certificate System Store</label>
+        <type>checkbox</type>
+        <style>export_option</style>
+        <help>
+          Load the certificate and private key from the Windows Certificate System Store (Windows/OpenSSL Only).
+        </help>
+    </field>
     <field>
         <id>openvpn_export.auth_nocache</id>
         <label>Disable password save</label>
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
index c0afb2cfe..6bb682d9b 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ArchiveOpenVPN.php
@@ -48,7 +48,7 @@ class ArchiveOpenVPN extends PlainOpenVPN
      */
     public function supportedOptions()
     {
-        return array("plain_config", "p12_password", "random_local_port", "auth_nocache");
+        return array("plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi");
     }
 
     /**
@@ -74,15 +74,25 @@ class ArchiveOpenVPN extends PlainOpenVPN
         }
         mkdir($content_dir, 0700, true);
 
-        $p12 = $this->export_pkcs12(
-            $this->config['client_crt'],
-            $this->config['client_prv'],
-            !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
-            !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
-        );
+        if (empty($this->config['cryptoapi'])) {
+            // export keypair
+            $p12 = $this->export_pkcs12(
+                $this->config['client_crt'],
+                $this->config['client_prv'],
+                !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
+                !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
+            );
 
-        file_put_contents("{$content_dir}/{$base_filename}.p12", $p12);
-        $conf[] = "pkcs12 {$base_filename}.p12";
+            file_put_contents("{$content_dir}/{$base_filename}.p12", $p12);
+            $conf[] = "pkcs12 {$base_filename}.p12";
+        } else {
+            // use internal Windows store, only flush ca (when available)
+            if (!empty($this->config['server_ca_chain'])) {
+                $cafilename = "{$base_filename}.crt";
+                file_put_contents("{$content_dir}/$cafilename", implode("\n", $this->config['server_ca_chain']));
+                $conf[] = "ca {$cafilename}";
+            }
+        }
         if (!empty($this->config['tls'])) {
             $conf[] = "tls-auth {$base_filename}-tls.key 1";
             file_put_contents("{$content_dir}/{$base_filename}-tls.key", trim(base64_decode($this->config['tls'])));
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
index 501ef74bf..ddd519ee8 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/PlainOpenVPN.php
@@ -48,7 +48,7 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
      */
     public function supportedOptions()
     {
-        return array("plain_config", "random_local_port", "auth_nocache");
+        return array("plain_config", "random_local_port", "auth_nocache", "cryptoapi");
     }
 
     /**
@@ -130,6 +130,9 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
                 $conf[] = "remote-cert-tls server";
             }
         }
+        if (!empty($this->config['cryptoapi'])) {
+            $conf[] = "cryptoapicert \"SUBJ:{$this->config['client_cn']}\"";
+        }
         if (in_array($this->config['mode'], array('server_user', 'server_tls_user'))) {
             $conf[] = "auth-user-pass";
             if (!empty($this->config['auth_nocache'])) {
@@ -148,7 +151,6 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
                 }
             }
         }
-
         return $conf;
     }
 
@@ -166,7 +168,7 @@ class PlainOpenVPN extends BaseExporter implements IExportProvider
             }
             $conf[] = "</ca>";
         }
-        if ($this->config['mode'] !== "server_user") {
+        if ($this->config['mode'] !== "server_user" && empty($this->config['cryptoapi'])) {
             $conf[] = "<cert>";
             $conf = array_merge($conf, explode("\n", trim($this->config['client_crt'])));
             $conf[] = "</cert>";
diff --git a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
index e2ac61ce1..6699b7a57 100644
--- a/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
+++ b/src/opnsense/mvc/app/library/OPNsense/OpenVPN/ViscosityVisz.php
@@ -48,7 +48,7 @@ class ViscosityVisz extends PlainOpenVPN
      */
     public function supportedOptions()
     {
-        return array("plain_config", "p12_password", "random_local_port", "auth_nocache");
+        return array("plain_config", "p12_password", "random_local_port", "auth_nocache", "cryptoapi");
     }
 
     /**
@@ -108,15 +108,24 @@ class ViscosityVisz extends PlainOpenVPN
         }
         mkdir($content_dir, 0700, true);
 
-        $p12 = $this->export_pkcs12(
-            $this->config['client_crt'],
-            $this->config['client_prv'],
-            !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
-            !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
-        );
+        if (empty($this->config['cryptoapi'])) {
+            // export keypair
+            $p12 = $this->export_pkcs12(
+                $this->config['client_crt'],
+                $this->config['client_prv'],
+                !empty($this->config['p12_password']) ? $this->config['p12_password'] : null,
+                !empty($this->config['server_ca_chain']) ? $this->config['server_ca_chain'] : null
+            );
 
-        file_put_contents("{$content_dir}/pkcs.p12", $p12);
-        $conf[] = "pkcs12 pkcs.p12";
+            file_put_contents("{$content_dir}/pkcs.p12", $p12);
+            $conf[] = "pkcs12 pkcs.p12";
+        }  else {
+            // use internal Windows store, only flush ca (when available)
+            if (!empty($this->config['server_ca_chain'])) {
+                file_put_contents("{$content_dir}/ca.crt", implode("\n", $this->config['server_ca_chain']));
+                $conf[] = "ca ca.crt";
+            }
+        }
         if (!empty($this->config['tls'])) {
             $conf[] = "tls-auth ta.key 1";
             file_put_contents("{$content_dir}/ta.key", trim(base64_decode($this->config['tls'])));
diff --git a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
index 95a19e6e8..4c25ec080 100644
--- a/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
+++ b/src/opnsense/mvc/app/models/OPNsense/OpenVPN/Export.xml
@@ -27,6 +27,10 @@
                     <default>1</default>
                     <Required>Y</Required>
                 </validate_server_cn>
+                <cryptoapi type="BooleanField">
+                    <default>0</default>
+                    <Required>N</Required>
+                </cryptoapi>
                 <auth_nocache type="BooleanField">
                     <default>0</default>
                     <Required>N</Required>