App does not ask for inline certificate password

Post Reply
slaver7
OpenVpn Newbie
Posts: 9
Joined: Sun Jan 26, 2020 9:09 am

App does not ask for inline certificate password

Post by slaver7 » Sun Jan 26, 2020 9:17 am

Hi,

our server needs 2 passwords, one for the user account, one for the embedded server certificate.

client.ovpn

client

dev tun
remote server 1194
proto udp

resolv-retry infinite
auth-retry none
auth-user-pass

nobind
persist-key
persist-tun

ecdh-curve secp521r1
auth SHA512
cipher AES-256-GCM
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
remote-cert-tls server

mute-replay-warnings
explicit-exit-notify 1

verb 3
mute 20

reneg-sec 0
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
-----END EC PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>


After importing the configuration via safari (and copy it to ovpn), use app will ask for a user and password. After that the connection throws an error like

Code: Select all

mbed TLS: error parsing config private key : PK - Given private key password does not allow for correct decryption [ERR]
Where I have to set the certificate passphrase?

slaver7
OpenVpn Newbie
Posts: 9
Joined: Sun Jan 26, 2020 9:09 am

Re: App does not ask for inline certificate password

Post by slaver7 » Sun Jan 26, 2020 9:47 am

After reading

https://community.openvpn.net/openvpn/t ... um_hist=12

I convert my key to an pkcs8 file using

Code: Select all

openssl pkcs8 -topk8 -in "${VPN_USERNAME}.key" -passout pass:"${VPN_PASSWORD}"
The UI is now asking for an certificate password but I get the error

Code: Select all

mbed TLS: error parsing config private key PKCS5 - Requested encryption or digest alg not available

slaver7
OpenVpn Newbie
Posts: 9
Joined: Sun Jan 26, 2020 9:09 am

Re: App does not ask for inline certificate password

Post by slaver7 » Sun Jan 26, 2020 9:57 am

Using

Code: Select all

openssl pkcs8 -topk8 -in "${VPN_USERNAME}.key" -passout pass:"${VPN_PASSWORD}" -v1 PBE-SHA1-3DES
resolves the "Requested encryption or digest alg not available error" but now I a new error:

Code: Select all

mbed TLS: error parsing config private key : PKCS12 - Bad input parameters to function
Edit:
It look like "-v2 des3 -v2prf hmacWithSHA1" is required. If i'm using

Code: Select all

openssl pkcs8 -topk8 -in "${VPN_USERNAME}.key" -passout pass:"${VPN_PASSWORD}" -v2 des3 -v2prf hmacWithSHA1
I the private key can used

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7827
Joined: Fri Jun 03, 2016 1:17 pm

Re: App does not ask for inline certificate password

Post by TinCanTech » Sun Jan 26, 2020 12:53 pm

You may find it easier to generate your PKI with easy-rsa:
https://github.com/OpenVPN/easy-rsa/releases

slaver7
OpenVpn Newbie
Posts: 9
Joined: Sun Jan 26, 2020 9:09 am

Re: App does not ask for inline certificate password

Post by slaver7 » Sun Jan 26, 2020 10:47 pm

I'm already using easyrsa but the installed version can not protect the keys without interaction.

Thanks

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7827
Joined: Fri Jun 03, 2016 1:17 pm

Re: App does not ask for inline certificate password

Post by TinCanTech » Sun Jan 26, 2020 10:53 pm

That is the point of having a password ..... interaction by an authorised entity.

Post Reply