TLS on Windows Server 2019

Hi all,

I have a question regarding an error I’m getting while trying to set up a vault 1.5.3 server on Windows Server 2019. I initially encountered this error in our work dev environment and then I was able to reproduce it in a vagrant vm hosting a windows server 2019 instance as well. Here’s the contents of my vault config file:

storage "file" {
  path = "C:/Hashicorp/Vault/data"

listener "tcp" {
  address = ""
  tls_cert_file = "C:/Hashicorp/Vault/certs/cert.pem"
  tls_cert_key = "C:/Hashicorp/Vault/certs/server.key"
disable_mlock = true
ui = true
api_addr = ""

when I launch this via the following:
vault server -config=“C:\Hashicorp\Vault\config\vault-config.hcl”
I receive the following error:
Error initializing listener of type tcp: error loading TLS cert: open : The system cannot find the file specified
I’ve tried generating my certificates in a number of different ways but the last attempt I created a self signed cert via IIS, and then used the openssl commands to separate the key and cert:
// Just the key
openssl pkcs12 -in filename.pfx -nocerts -out key.pem
// just the cert
openssl pkcs12 -in filename.pfx -clcerts -nokeys -out cert.pem
// remove the password from the key
openssl rsa -in key.pem -out server.key

Any assistance is appreciated. If there’s a work around or some other way of doing this please let me know.

Thank you!

Just guessing here, but might this be a file or folder permission issue? Are you sure the user under which you run the Vault executable has access to those files?

Thank you for your reply!

I double checked and the executing user has access to the location. I was able to reproduce the same behavior in a vanilla vm as well. I even tried opening a command prompt as administrator and running it that way as well. The same actions on previous versions of windows server work as expected.

Just to be sure, can you try regular Windows path notation, like this:

listener "tcp" {
  address = ""
  tls_cert_file = "C:\Hashicorp\Vault\certs\cert.pem"
  tls_cert_key = "C:\Hashicorp\Vault\certs\server.key"

Again, jeroenjacobs79 thanks for your time,

Here is what you get when you use standard windows path notation:


What stanza is located at line 44 of the config file?

In Windows env \ (backslash) should be used as path delimiter.

In order to verify the HCL syntax of the file, you can use Terraform for it. Rename the config file to and run terraform fmt, rename the file to its original filename.


Hi Martin!

Thanks for your feedback. I was able to perform your test, and I got the following:

Error: Invalid escape sequence

  on line 7, in listener "tcp":
   7:   tls_cert_file = "C:\Hashicorp\Vault\certs\cert.pem"

The symbol "H" is not a valid escape sequence selector.

This we knew would happen though right? because the documentation says that the appropriate notation here is to use either

/ OR \\

Both those notation styles in Windows server 2019 appear to yield the error:
Error initializing listener of type tcp: error loading TLS cert: open : The system cannot find the file specified


I did some research in my Windows testing environment, it turned out that tls_cert_key parameter does not exist, the correct parameter is tls_key_file.

Also, the \ (backslashes) need to be escaped. Your TLS configuration should look like :

  tls_cert_file = "C:\\Hashicorp\\Vault\\certs\\cert.pem"
  tls_key_file  = "C:\\Hashicorp\\Vault\\certs\\server.key"

Hope this helps!


1 Like


That was it Martin! tls_key_file is the parameter to use for windows!

Thank you very much for your assistance.


1 Like