openconnect with p7b client certificate
Mikołaj Stefaniak
nick at surreal.pl
Thu Sep 22 07:47:56 PDT 2016
W dniu 2016-09-22 16:06, David Woodhouse napisał(a):
> On Wed, 2016-09-21 at 16:26 +0200, Mikołaj Stefaniak wrote:
>> Hello,
>>
>> I'm looking for some help with openconnect and p7b client certificate.
>> On Windows I can import p7b (that has no private key) certificate to
>> windows cert store and later use it in AnyConnect.
>
> But a PKCS#7 file really does contain only the certificate. You can't
> use that on its own; there *needs* to be a private key which
> corresponds to it.
>
> At least, you do for client authentication. Or was this just the
> certificate for your VPN server, which is otherwise invalid? In that
> case, you want to be using the PEM file with the --cafile option, not
> the -c option.
Yeach and that is the whole mystery. I got PKCS#7 certificate file from
my IT department - obviously there is no key inside. Despite that I
could import this certificate to windows certmgr and Windows Anyconnect
is using it as client certificate in TLS handshake (I inspected this
with Wireshark). It is possible to use this certificate in Firefox even!
(when accessing https vpn site)
This is really confusing as even Linux version of Anyconnect requires
PEM cert with a key... No idea how to proceed with this, looks like
windows certificate managment is somehow special.....
More information about the openconnect-devel
mailing list