Reference existing cert in keychain

Official client software for OpenVPN Access Server and OpenVPN Cloud.
Post Reply
mcfly9
OpenVpn Newbie
Posts: 6
Joined: Wed Oct 31, 2018 5:16 pm

Reference existing cert in keychain

Post by mcfly9 » Sat Feb 06, 2021 9:54 pm

I have been playing today with getting OpenVPN work with Intune management. There I have been blocked by not being able to deploy the ca directive due to field length issues.

My next try was with a mobileconfig file. I have managed to get it working by adding a user certificate to the config, referencing it in the VPN configuration and omitting cert and key directives. All good, connection succeeds, the connection log neatly shows that OpenVPN is enumerating the keychains, find two certs, uses one and manages to connect.

But I don't want to use the same cert for all my users, so I have removed the certificate from the mobileconfig. I do have a cert on the phone deployed through an other configuration profile (by an MDM) and I would like to use that cert.

This made the client complain: Missing external certificate. If I click select, I have got no UI to select the cert. The log shows: EVENT: CORE_ERROR Missing External PKI alias [ERR] and there is no sign of the client looking into the keychain.

How do I make the client start looking for certs in the keychain instead of just failing?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8665
Joined: Fri Jun 03, 2016 1:17 pm

Re: Reference existing cert in keychain

Post by TinCanTech » Sat Feb 06, 2021 10:09 pm

You have had three unanswered questions, of which this is the third.

Strike three! - You're Out!

Why? you ask .. because we don't even know which version of openvpn you are using.

mcfly9
OpenVpn Newbie
Posts: 6
Joined: Wed Oct 31, 2018 5:16 pm

Re: Reference existing cert in keychain

Post by mcfly9 » Sat Feb 06, 2021 10:52 pm

TinCanTech wrote:
Sat Feb 06, 2021 10:09 pm
You have had three unanswered questions, of which this is the third.

Strike three! - You're Out!

Why? you ask .. because we don't even know which version of openvpn you are using.
Thanks for calling my attention.

Server version: pfSense 2.4.5-p1 built in
Client version: 3.2.2 (3507)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8665
Joined: Fri Jun 03, 2016 1:17 pm

Re: Reference existing cert in keychain

Post by TinCanTech » Sat Feb 06, 2021 11:11 pm


mcfly9
OpenVpn Newbie
Posts: 6
Joined: Wed Oct 31, 2018 5:16 pm

Re: Reference existing cert in keychain

Post by mcfly9 » Sat Feb 06, 2021 11:38 pm

Inlining works beautifully. (CASE #1)
Creating a mobileconfig with a user cert and the openvpn config in it, then deploying the mobileconfig through my MDM (Intune) works great as well. (CASE#2) The client notices that there is no cert and key directive, enumerates the keychain and finds the cert to use.

What I wasn't able to get to work:
- have Intune deploy a cert through SCEP and have Intune deploy a custom OpenVPN config profile (CASE#3) - Intune won't allow the ca directive due to a 1000 char limit on key-value pairs (see viewtopic.php?f=36&t=31784), without which the connection obviously fails
- have Intune deploy a cert through SCEP and have Intune deploy the VPN config in a mobileconfig (CASE#4) - I found no way to reference the SCEP cert in the client config or to have the client look for a cert in the keychain similar to how it happens in CASE#2

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 8665
Joined: Fri Jun 03, 2016 1:17 pm

Re: Reference existing cert in keychain

Post by TinCanTech » Sat Feb 06, 2021 11:57 pm

mcfly9 wrote:
Sat Feb 06, 2021 11:38 pm
What I wasn't able to get to work:
- have Intune deploy a cert through SCEP and have Intune deploy a custom OpenVPN config profile (CASE#3) - Intune won't allow the ca directive due to a 1000 char limit on key-value pairs
This forum is not the right place for your question.

Try an openvpn mailing list..

mcfly9
OpenVpn Newbie
Posts: 6
Joined: Wed Oct 31, 2018 5:16 pm

Re: Reference existing cert in keychain

Post by mcfly9 » Sun Feb 07, 2021 8:50 am

Thanks, will do.

Post Reply