December 10, 2006 at 12:39 am #40515
I’m trying to connect to zeroshell host-to-LAN VPN with Mac OSX built-in client but I can’t get the user certificate installed inot Keychain Access without it asking me for the certificate password.
I tried using all the passwords I could think of related to zeroshell but none work. I’ve exported the certificates in all available formats and still it asks for a cert password.
How can I tell what the password for the cert is so I can get it installed into OS X?
DustinDecember 10, 2006 at 9:29 am #45028
At moment Zeroshell does not protect the x.509 cetificates with a password. I have not tried the Mac OS X l2tp/IPSec client and hence I don’t know why it asks for a password. Did you try a blank password?
FulvioDecember 10, 2006 at 7:27 pm #45029
I tried a blank password and the OS X Keychain Access app still gives the CSP_INVALID_DATA error (meaning the user entered the wrong certificate password).
Those same certs work on XP if I just hit enter at the password prompt, though, so it’s definitely OS X being picky about it.
If I generate the certs with OpenSSL at the command line with passwords and move them into the zeroshell ssl/certs dir, will that work, or must they be generated within the GUI?
Thanks for your help,
DustinDecember 11, 2006 at 3:44 am #45030
I modified /etc/ssl/openssl.cnf and set input_password and output_password to something and tried to regen the certificates; still does not work.
Then I found a page on the web about certificates being used by the OS X client: http://www.jacco2.dds.nl/networking/openswan-macosx.html#Certs
Seems that OS X will not accept a server certificate in distinguished name format (which they appear to be generated as) without adding user_cert option subjectAltName=DNS:
Of course it’s not possible to do this as the changes made to openssl.cnf are wiped out after a reboot.
If I understand correctly (and I probably don’t), this makes zeroshell config incompatible with OS X clients as far as x.509 VPN access goes?December 11, 2006 at 5:25 pm #45031
Thank you for the hints. I am going to apply them as soon as possible. I hope in the next release.
FulvioJanuary 2, 2007 at 7:38 pm #45032
I think I might have found us OSX users a short work around from here:
Below is a cut and paste from section 8.4.1 of the page.
8.4.1 Alternative method of importing the machine certificate
If you are a die-hard command line fan you can use the utility ‘certtool’ that is included with Mac OS X. It works for me but I did not look into this much because the command line scares off most users. Anyway, here are the commands for importing a file in PKCS#12 format. This example assume the file is called ‘yourcrt.p12’.
openssl pkcs12 -in yourcrt.p12 -cacerts -out ca.pem -nokeys
openssl pkcs12 -in yourcrt.p12 -clcerts -out client.pem -nokeys
openssl pkcs12 -in yourcrt.p12 -nocerts -out key.pem -nodes
cp /System/Library/Keychains/X509Anchors $HOME/Library/Keychains/X509Anchors.bkp
cp /Library/Keychains/System.keychain $HOME/Library/Keychains/System.keychain.bkp
certtool i ca.pem k=X509anchors.bkp v
certtool i client.pem r=key.pem f=1 k=System.keychain.bkp v
sudo cp $HOME/Library/Keychains/X509Anchors.bkp /System/Library/Keychains/X509Anchors
sudo cp $HOME/Library/Keychains/System.keychain.bkp /Library/Keychains/System.keychain
rm -fr ca.pem client.pem key.pem
You will be asked three times for the certificate password. After that, you will be asked for the Keychain Access password and then for your login password.
A word of advice: copy, paste and execute these lines one by one in a Terminal window. Typing them is error prone.
In doing the steps above it allowed me toimport a user certificate and a host certificate to allow me to configure L2TP from internet conect using only certs.
You must be logged in to reply to this topic.