Cannot get certtool generated client certificate to work with AnyConnect client on iOS
Nikos Mavrogiannopoulos
nmav at gnutls.org
Wed Oct 29 03:45:00 PDT 2014
On Tue, Oct 21, 2014 at 3:00 PM, David Frank <bitinn at gmail.com> wrote:
>>> - certtool --to-p12 --load-ca-certificate ca-cert.pem --load-privkey
>>> >user-key.pem --load-certificate user-cert.pem --outfile user.p12
>> The equivalent:
>> MAC info:
>> MAC: SHA1 (1.3.14.3.2.26)
>>
>> BAG #0
>> Type: Encrypted
>> Cipher: ARCFOUR-128
>> Schema: PKCS12-ARCFOUR-SHA1 (1.2.840.113549.1.12.1.1)
>>
>> BAG #1
>> Type: Encrypted
>> Cipher: ARCFOUR-128
>> Schema: PKCS12-ARCFOUR-SHA1 (1.2.840.113549.1.12.1.1)
>> So I'd suggest to use --pkcs-cipher=3des-pkcs12 as algorithm. That will
>> also be the default in certtool in 3.4.0.
> Tried both 3des and aes, unforunately no good on iOS AnyConnect, same vague
> error message.
I guess then the only remaining possibility is that anyconnect client
requires the key to be in encrypted PKCS #8 format, and placed
unencrypted in the PKCS #12 structure, instead of encrypted in PKCS
#12. Too bad that the designers of PKCS #12 are not the ones who are
expected to fix that mess.
regards,
Nikos
More information about the openconnect-devel
mailing list