Certificate passwords

Home Page Forums Network Management ZeroShell Certificate passwords

This topic contains 4 replies, has 0 voices, and was last updated by  chemical 12 years, 2 months ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • #40515

    chemical
    Member

    I’m trying to connect to zeroshell host-to-LAN VPN with Mac OSX built-in client but I can’t get the user certificate installed inot Keychain Access without it asking me for the certificate password.

    I tried using all the passwords I could think of related to zeroshell but none work. I’ve exported the certificates in all available formats and still it asks for a cert password.

    How can I tell what the password for the cert is so I can get it installed into OS X?

    Thanks!
    Dustin

    #45028

    imported_fulvio
    Participant

    At moment Zeroshell does not protect the x.509 cetificates with a password. I have not tried the Mac OS X l2tp/IPSec client and hence I don’t know why it asks for a password. Did you try a blank password?

    Regards
    Fulvio

    #45029

    chemical
    Member

    I tried a blank password and the OS X Keychain Access app still gives the CSP_INVALID_DATA error (meaning the user entered the wrong certificate password).

    Those same certs work on XP if I just hit enter at the password prompt, though, so it’s definitely OS X being picky about it.

    If I generate the certs with OpenSSL at the command line with passwords and move them into the zeroshell ssl/certs dir, will that work, or must they be generated within the GUI?

    Thanks for your help,
    Dustin

    #45030

    chemical
    Member

    I modified /etc/ssl/openssl.cnf and set input_password and output_password to something and tried to regen the certificates; still does not work.

    Then I found a page on the web about certificates being used by the OS X client: http://www.jacco2.dds.nl/networking/openswan-macosx.html#Certs

    Seems that OS X will not accept a server certificate in distinguished name format (which they appear to be generated as) without adding user_cert option subjectAltName=DNS:

    Of course it’s not possible to do this as the changes made to openssl.cnf are wiped out after a reboot.

    If I understand correctly (and I probably don’t), this makes zeroshell config incompatible with OS X clients as far as x.509 VPN access goes?

    #45031

    imported_fulvio
    Participant

    Thank you for the hints. I am going to apply them as soon as possible. I hope in the next release.

    Regards
    Fulvio

    #45032

    greyman
    Member

    I think I might have found us OSX users a short work around from here:

    http://www.jacco2.dds.nl/networking/freeswan-panther.html

    Below is a cut and paste from section 8.4.1 of the page.

    8.4.1 Alternative method of importing the machine certificate

    If you are a die-hard command line fan you can use the utility ‘certtool’ that is included with Mac OS X. It works for me but I did not look into this much because the command line scares off most users. Anyway, here are the commands for importing a file in PKCS#12 format. This example assume the file is called ‘yourcrt.p12’.


    openssl pkcs12 -in yourcrt.p12 -cacerts -out ca.pem -nokeys
    openssl pkcs12 -in yourcrt.p12 -clcerts -out client.pem -nokeys
    openssl pkcs12 -in yourcrt.p12 -nocerts -out key.pem -nodes
    cp /System/Library/Keychains/X509Anchors $HOME/Library/Keychains/X509Anchors.bkp
    cp /Library/Keychains/System.keychain $HOME/Library/Keychains/System.keychain.bkp
    certtool i ca.pem k=X509anchors.bkp v
    certtool i client.pem r=key.pem f=1 k=System.keychain.bkp v
    sudo cp $HOME/Library/Keychains/X509Anchors.bkp /System/Library/Keychains/X509Anchors
    sudo cp $HOME/Library/Keychains/System.keychain.bkp /Library/Keychains/System.keychain
    rm -fr ca.pem client.pem key.pem

    You will be asked three times for the certificate password. After that, you will be asked for the Keychain Access password and then for your login password.

    A word of advice: copy, paste and execute these lines one by one in a Terminal window. Typing them is error prone.

    In doing the steps above it allowed me toimport a user certificate and a host certificate to allow me to configure L2TP from internet conect using only certs.

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.