Topic: Another PHPki question - passwords on PKCS#12 files?

[DanB35]

I've been working on getting OpenVPN Connect on my iPhone working with the OpenVPN Bridge contrib (http://wiki.contribs.org/OpenVPN_Bridge), and have been encountering some issues.  I've mostly managed to work around them (and intend to update the wiki), but one of them is giving me an issue.

When importing a .p12 file as an identity profile, iOS expects that it will be password protected.  Whether or not the file is actually passworded, iOS requires a password and will not import it without one.  This is, as far as I can tell, separate from having a password on the key itself.  From what I can see, though, there's no way in PHPki to password-protect the downloaded .p12 file.

The only workaround I've seen is to download the PEM bundle, split it into the user key, user cert, and ca cert, and then use openssl at the command line to build a new .p12 file (which will require a password), which can then be imported into the iOS hardware keystore.

[stephdl]

Some time I can be old school, particularly when it works like a charm

A nice euphemism to explain that I have used pem certificates with network-manager  since years, but recently I tried the pkcs#12 certificate after reading your post.

First from what i have tested this works well, but i don't understand your issue since my certificate user.p12 is password protected like you are expecting and when I set the settings in network-manager I gave the key password (set during the key creation), it is a mandatory if I want to save the settings of my openvpn.

I guess if you have created a certificate in 'Vpn client only' which allows to have a certificate without be protected by a password see
http://wiki.contribs.org/OpenVPN_Bridge#Create_the_certificate_with_PHPki

Maybe you could choose another certificate type : Email, SSL Client for example

[Daniel B.]

Yes, you could create a passwordless PEM key and only protect the exported .p12 so it can be imported (network-manager has the same problem and only accepts .p12 with a password), but PHPki doesn't support it. So you only have two choices: set a password when creating the certificate, or export the passwordless PEM and create manually a .p12 with a password using openssl.

Anyway, I think you'll hit another issue for iOS: it doesn't support the bridge mode (tap interface, which creates a level 2 virtual NIC). I need to update this contrib and merge a few options, including a new point to multi point routing daemon, which would work with Android and iOS (I have an smeserver-openvpn-routed contribs for this in my repo but it has no panel in the server-manager nor any documentation. I can help setting it up if you're interested in having iOS/Android devices connected)

[DanB35]

Yes, stephdl, that was it--I'd created a VPN client only certificate without a password, which was what I wanted (and still want) to do--I don't want to need to enter a password every time I use it.  It sounds like there's more going on anyway, though.

Daniel B., yes, I noticed that.  For some reason my iPhone and iPad were able to connect just fine, but couldn't access anything on my LAN.  Digging a little further makes it look like this may be a little complicated.  I've reverted my wiki edits for now.