Page 1 of 1

Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Posted: Wed Apr 01, 2020 12:36 pm
by regger
Dear all,

on my Windows machine I'm using cryptoapicert option to use a certificate in the Windows certification store. However, this doesn't work on linux, so I'm looking for an alternative. I think it should be possible to export the Windows certificate to some PKCS12 format. But I'm not sure how to achieve this. Did anybody of you get this to work? Maybe someone can point me to a howto or tutorial.

I already tried to export the certificate on the windows machine to some PEM format but I don't know how to proceed. I usedthe following command to convert the p7b to pem:

Code: Select all

openssl pkcs7 -in file.pem -print_certs -out certs.pem
Thank you very much for your help!

Re: Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Posted: Fri Apr 03, 2020 9:05 pm
by 300000
it is depend on how you import certificate to windows store , if you donot full understand what to import and how to import on windows store you can not export it and you cant use it outside windows machine at all. do you remember when you import p12 certificate to windows store it have option to enable export private key . that key very importance .did you choose that or not , windows default is not choose that option for you so you cant export because it will prevent stolen key for security purposes .

certificate thing make the name the same so people not understand at all , if you type mmc press enter and file add on end choose certificate . choose the certificate and export, when you can export to p12 i can help you to charge to linux , it must be p12 extension not other file type. if you can do that I can help you the rest

Re: Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Posted: Tue Oct 19, 2021 4:05 pm
by deaktamashu
Dear 300000,
I have the same issue.

We have Windows infrastructure and I'd like to connect to it via my RedHat 8.

I have all the files:
VPN-CA-Certificate.crt
VPN-Client-Certificate-2022.key
VPN-Client-Certificate-2022.p12

and the OVPN file:

Code: Select all

dev tun
persist-tun
persist-key
cipher AES-256-CBC
route-method exe
route-delay 2
auth SHA512
tls-client
client
resolv-retry infinite
remote XX.XXX.XXX.XXX 443 tcp
connect-timeout 10
lport 0
verify-x509-name "VPN-Server-Certificate" name
auth-user-pass
auth-nocache
ca VPN-CA-Certificate.crt
cryptoapicert "SUBJ:VPN-Client-Certificate-2022, XXXXXXXXXX"
tls-auth VPN-Client-Certificate-2022.key 1
remote-cert-tls server
comp-lzo adaptive
Can you please advise how to continue with this cryptoapicert function?

I converted the p12 to pem and imported to RedHat.


Regards //T.

Re: Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Posted: Wed Oct 20, 2021 4:04 pm
by 300000
VPN-Client-Certificate-2022.p12 contain 3 certificates. That is all you need then now you need conver it to use on linix .

In linux they use three file .public CA certificate extension .crt. public Client certificate extension crt and private client certificate extension .key

You can download xca in windown and import VPN-Client-Certificate-2022.p12 then export to three file name above and can make connections in Linux.

You can try yourself first if not work i can help you

Re: Alternative to cryptoapicert "SUBJ:.xxxx" on linux

Posted: Wed Oct 27, 2021 4:41 pm
by becm
You can test the required cert and key options also on windows to verify the contents of your .p12 and .key files.
It may be easier/required to use the certificate in PEM format (like CA file).

The text/base64 variants of ca/cert/key can be inlined into client.conf for easier profile import/redistribution.