Certificates with password

Matthew Zimmerman mzimmerman at gmail.com
Wed Apr 5 09:13:50 PDT 2017

The client certificates I would like to use for ocserv are issued as
part of another business process and I can't re-issue them.  They
don't have the usernames I would like to use embedded in them.  They
do have an email address as the SAN(rfc822name).

I can see the username (email) getting extracted during the login
process, however the anyconnect client then disconnects.  I can't tell
from the ocserv logs (running -d 9999) what the reason why is.

When I think about what needs to happen however, I have specified the
authentication of the certificate/user, but there's no location in the
config where I give certain users authorization.  How does that work?

As an aside, I tried to use ocpasswd to create passwords for the email
addresses associated with the certificates, however that doesn't seem
to work either.

Finally as a last resort, is it possible to do the certificate
verification (meaning that they're issued by a trusted CA) only and
then use the password for the actual authentication?


More information about the openconnect-devel mailing list