I modified /etc/ssl/openssl.cnf and set input_password and output_password to something and tried to regen the certificates; still does not work.
Then I found a page on the web about certificates being used by the OS X client: http://www.jacco2.dds.nl/networking/openswan-macosx.html#Certs
Seems that OS X will not accept a server certificate in distinguished name format (which they appear to be generated as) without adding user_cert option subjectAltName=DNS:
Of course it’s not possible to do this as the changes made to openssl.cnf are wiped out after a reboot.
If I understand correctly (and I probably don’t), this makes zeroshell config incompatible with OS X clients as far as x.509 VPN access goes?