Getting started

David Woodhouse dwmw2 at
Wed Dec 9 18:13:09 EST 2009

On Wed, 2009-12-09 at 23:22 +0100, Paul Floyd wrote:
> Anyway, I've just been through the AnyConnect rigmarole to get a 
> certificate and get connected on Windows. I'd rather not be forced to 
> use Windows though, not use the nasty looking bits that Cisco installed. 
> I'd prefer to use Solaris or Mac.

OpenConnect has been recently tested on both Solaris and OSX.

> On OpenSolaris, I've compiled and installed tun, compiled and installed 
> openconnect. After that the instructions start getting a bit thin on the 
> ground.

That's because there's not a lot else to do.

If you use password authentication, we can't tell you who you need to
talk to to reset your password on your own servers.

If you use certificate authentication, we can't tell you how to get your
certificates. I could tell you about my own employer's PKI
infrastructure and the SOAP methods we use to issue certificates, but it
wouldn't help you much.

>  I've tried jailbreak, and found one Client Authentication 
> certificate. When I try to export it, it says it's marked as not 
> exportable and won't export the private key. Is that right?

Doesn't sound right to me. I thought the whole point in jailbreak was
that it would export the private keys? All your keys are supposed to
appear as exportable.

Perhaps you need to be running it as a user with Administrator privs?

>  Next, there are a choice of 3 formats, with DER as the default. Does
> it matter which one I choose?
> I've tried the 1st and 3rd options when exporting, to get a .CER and a 
> .PK7 file, and in both cases openconnect gives me a message that 
> "Loading certificate failed".

That sounds like it's exporting a certificate without the corresponding
private key. You want to the fourth option in that dialog box, which is
PKCS#12. OpenConnect can eat PKCS#12 files directly.

You can only export as PKCS#12 if you've been able to select 'Yes,
export the private key' at the previous stage. That seems to be your


More information about the openconnect-devel mailing list