Cannot get certtool generated client certificate to work with AnyConnect client on iOS
Nikos Mavrogiannopoulos
nmav at gnutls.org
Sun Oct 19 13:38:25 PDT 2014
On Sun, 2014-10-19 at 00:15 +0800, David Frank wrote:
> Same problem as Alex here, I can't spot a difference between these 2
> commands, but only the openssl one works with AnyConnect client.
>
> - openssl pkcs12 -export -inkey user-key.pem -in user-cert.pem -name
> "service" -certfile ca-cert.pem -out user.p12
I used gnutls in git to see the difference:
certtool --p12-info --inder <user.p12
MAC info:
MAC: SHA1 (1.3.14.3.2.26)
BAG #0
Type: Encrypted
Cipher: RC2-40
Schema: PKCS12-RC2-40-SHA1 (1.2.840.113549.1.12.1.6)
BAG #1
Type: PKCS #8 Encrypted key
PKCS #8 information:
Cipher: 3DES-CBC
Schema: PKCS12-3DES-SHA1 (1.2.840.113549.1.12.1.3)
> - certtool --to-p12 --load-ca-certificate ca-cert.pem --load-privkey
> user-key.pem --load-certificate user-cert.pem --outfile user.p12
The equivalent:
MAC info:
MAC: SHA1 (1.3.14.3.2.26)
BAG #0
Type: Encrypted
Cipher: ARCFOUR-128
Schema: PKCS12-ARCFOUR-SHA1 (1.2.840.113549.1.12.1.1)
BAG #1
Type: Encrypted
Cipher: ARCFOUR-128
Schema: PKCS12-ARCFOUR-SHA1 (1.2.840.113549.1.12.1.1)
So I'd suggest to use --pkcs-cipher=3des-pkcs12 as algorithm. That will
also be the default in certtool in 3.4.0.
regards,
Nikos
More information about the openconnect-devel
mailing list