Fault in PKCS #12 conversion example in man ocserv(8)?

Björn Ketelaars bjorn.ketelaars at hydroxide.nl
Mon Feb 16 12:50:37 PST 2015


I attempted to build a simple PKI using the examples in ocserv(8). Last step in
the generation of a client certificate is the conversion of a certificate in to
PKCS #12. Unfortunately the resulting file is not compatible with openconnect
(tested in OSX and OpenBSD):

# sudo openconnect -v -c pkcs12.p12 vpn.example.com
POST https://vpn.example.com
Attempting to connect to server a.b.c.d:443
Using certificate file pkcs12.p12
Loading certificate failed: No certificate found in file
Loading certificate failed. Aborting.
Failed to open HTTPS connection to vpn.example.com
Failed to obtain WebVPN cookie

I suspect that openconnect does not like PKCS #12 in PEM format. It does
however like DER format. Easy solution is to change the certtool example in
ocserv(8) to include the --outder switch. Real solution would be enabling
openconnect to accept both PEM and DER format. Implementation of the latter is
out of my league.

Suggested change:

diff --git a/src/ocserv-args.def b/src/ocserv-args.def
index f3ea780..5e7b695 100644
--- a/src/ocserv-args.def
+++ b/src/ocserv-args.def
@@ -680,7 +680,7 @@ $ certtool --generate-certificate --load-privkey user-key.pem \
 	--load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \
 	--template user.tmpl --outfile user-cert.pem
 
-$ certtool --to-p12 --load-privkey user-key.pem \
+$ certtool --to-p12 --outder --load-privkey user-key.pem \
 	--pkcs-cipher 3des-pkcs12 \
 	--load-certificate user-cert.pem \
 	--outfile user.p12

OK?

-- 
Björn Ketelaars
GPG key: 0x4F0E5F21



More information about the openconnect-devel mailing list