I have been playing today with getting OpenVPN work with Intune management. There I have been blocked by not being able to deploy the ca directive due to field length issues.
My next try was with a mobileconfig file. I have managed to get it working by adding a user certificate to the config, referencing it in the VPN configuration and omitting cert and key directives. All good, connection succeeds, the connection log neatly shows that OpenVPN is enumerating the keychains, find two certs, uses one and manages to connect.
But I don't want to use the same cert for all my users, so I have removed the certificate from the mobileconfig. I do have a cert on the phone deployed through an other configuration profile (by an MDM) and I would like to use that cert.
This made the client complain: Missing external certificate. If I click select, I have got no UI to select the cert. The log shows: EVENT: CORE_ERROR Missing External PKI alias [ERR] and there is no sign of the client looking into the keychain.
How do I make the client start looking for certs in the keychain instead of just failing?
Reference existing cert in keychain
-
- OpenVpn Newbie
- Posts: 8
- Joined: Wed Oct 31, 2018 5:16 pm
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Reference existing cert in keychain
You have had three unanswered questions, of which this is the third.
Strike three! - You're Out!
Why? you ask .. because we don't even know which version of openvpn you are using.
Strike three! - You're Out!
Why? you ask .. because we don't even know which version of openvpn you are using.
-
- OpenVpn Newbie
- Posts: 8
- Joined: Wed Oct 31, 2018 5:16 pm
Re: Reference existing cert in keychain
Thanks for calling my attention.TinCanTech wrote: ↑Sat Feb 06, 2021 10:09 pmYou have had three unanswered questions, of which this is the third.
Strike three! - You're Out!
Why? you ask .. because we don't even know which version of openvpn you are using.
Server version: pfSense 2.4.5-p1 built in
Client version: 3.2.2 (3507)
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
-
- OpenVpn Newbie
- Posts: 8
- Joined: Wed Oct 31, 2018 5:16 pm
Re: Reference existing cert in keychain
Inlining works beautifully. (CASE #1)
Creating a mobileconfig with a user cert and the openvpn config in it, then deploying the mobileconfig through my MDM (Intune) works great as well. (CASE#2) The client notices that there is no cert and key directive, enumerates the keychain and finds the cert to use.
What I wasn't able to get to work:
- have Intune deploy a cert through SCEP and have Intune deploy a custom OpenVPN config profile (CASE#3) - Intune won't allow the ca directive due to a 1000 char limit on key-value pairs (see viewtopic.php?f=36&t=31784), without which the connection obviously fails
- have Intune deploy a cert through SCEP and have Intune deploy the VPN config in a mobileconfig (CASE#4) - I found no way to reference the SCEP cert in the client config or to have the client look for a cert in the keychain similar to how it happens in CASE#2
Creating a mobileconfig with a user cert and the openvpn config in it, then deploying the mobileconfig through my MDM (Intune) works great as well. (CASE#2) The client notices that there is no cert and key directive, enumerates the keychain and finds the cert to use.
What I wasn't able to get to work:
- have Intune deploy a cert through SCEP and have Intune deploy a custom OpenVPN config profile (CASE#3) - Intune won't allow the ca directive due to a 1000 char limit on key-value pairs (see viewtopic.php?f=36&t=31784), without which the connection obviously fails
- have Intune deploy a cert through SCEP and have Intune deploy the VPN config in a mobileconfig (CASE#4) - I found no way to reference the SCEP cert in the client config or to have the client look for a cert in the keychain similar to how it happens in CASE#2
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Reference existing cert in keychain
This forum is not the right place for your question.
Try an openvpn mailing list..
-
- OpenVpn Newbie
- Posts: 8
- Joined: Wed Oct 31, 2018 5:16 pm
Re: Reference existing cert in keychain
Thanks, will do.