Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
regger
OpenVpn Newbie
Posts: 14
Joined: Tue Sep 04, 2018 6:52 pm

Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Post by regger » Wed Apr 01, 2020 12:36 pm

Dear all,

on my Windows machine I'm using cryptoapicert option to use a certificate in the Windows certification store. However, this doesn't work on linux, so I'm looking for an alternative. I think it should be possible to export the Windows certificate to some PKCS12 format. But I'm not sure how to achieve this. Did anybody of you get this to work? Maybe someone can point me to a howto or tutorial.

I already tried to export the certificate on the windows machine to some PEM format but I don't know how to proceed. I usedthe following command to convert the p7b to pem:

Code: Select all

openssl pkcs7 -in file.pem -print_certs -out certs.pem
Thank you very much for your help!

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Post by 300000 » Fri Apr 03, 2020 9:05 pm

it is depend on how you import certificate to windows store , if you donot full understand what to import and how to import on windows store you can not export it and you cant use it outside windows machine at all. do you remember when you import p12 certificate to windows store it have option to enable export private key . that key very importance .did you choose that or not , windows default is not choose that option for you so you cant export because it will prevent stolen key for security purposes .

certificate thing make the name the same so people not understand at all , if you type mmc press enter and file add on end choose certificate . choose the certificate and export, when you can export to p12 i can help you to charge to linux , it must be p12 extension not other file type. if you can do that I can help you the rest

deaktamashu
OpenVpn Newbie
Posts: 1
Joined: Tue Oct 19, 2021 3:59 pm

Re: Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Post by deaktamashu » Tue Oct 19, 2021 4:05 pm

Dear 300000,
I have the same issue.

We have Windows infrastructure and I'd like to connect to it via my RedHat 8.

I have all the files:
VPN-CA-Certificate.crt
VPN-Client-Certificate-2022.key
VPN-Client-Certificate-2022.p12

and the OVPN file:

Code: Select all

dev tun
persist-tun
persist-key
cipher AES-256-CBC
route-method exe
route-delay 2
auth SHA512
tls-client
client
resolv-retry infinite
remote XX.XXX.XXX.XXX 443 tcp
connect-timeout 10
lport 0
verify-x509-name "VPN-Server-Certificate" name
auth-user-pass
auth-nocache
ca VPN-CA-Certificate.crt
cryptoapicert "SUBJ:VPN-Client-Certificate-2022, XXXXXXXXXX"
tls-auth VPN-Client-Certificate-2022.key 1
remote-cert-tls server
comp-lzo adaptive
Can you please advise how to continue with this cryptoapicert function?

I converted the p12 to pem and imported to RedHat.


Regards //T.

300000
OpenVPN Expert
Posts: 685
Joined: Tue May 01, 2012 9:30 pm

Re: Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Post by 300000 » Wed Oct 20, 2021 4:04 pm

VPN-Client-Certificate-2022.p12 contain 3 certificates. That is all you need then now you need conver it to use on linix .

In linux they use three file .public CA certificate extension .crt. public Client certificate extension crt and private client certificate extension .key

You can download xca in windown and import VPN-Client-Certificate-2022.p12 then export to three file name above and can make connections in Linux.

You can try yourself first if not work i can help you

becm
OpenVPN User
Posts: 38
Joined: Tue Sep 01, 2020 1:27 pm

Re: Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Post by becm » Wed Oct 27, 2021 4:41 pm

You can test the required cert and key options also on windows to verify the contents of your .p12 and .key files.
It may be easier/required to use the certificate in PEM format (like CA file).

The text/base64 variants of ca/cert/key can be inlined into client.conf for easier profile import/redistribution.

Post Reply