Does Openvpn Connect still support using IOS Iphone keychain for certificate identity?

[BillyIdle]

I'm very confused. There seems to have been a lot of turbulence in the openvpn iphone world lately, and I think some of the documentation isn't very clear as a result.

Does openvpn still support using the IOS keychain, without having the load my P12 (private key/cert/ca) directly into openvpn?

This FAQ seems to simultaneously say that using IOS keychain is the new method because its best for security, while then I think, very confusingly, saying that you have to create an ovpn12 file, which gets imported directly into openvpn, and not the keychain.

When I load a P12 file into the IOS keychain, openvpn doesn't seem to have any access to it. When I load an ovpn12 file into openvpn, the ios keychain doesn't seem to have any access to it. They seem to be completely separate now.

I'm using Openvpn connect 3.0.2, and IOS 12.0.1, which are both the latest versions as of today.

[ordex]

Sorry for the confusion. When saying "iOS keychain" the FAQ refers to the keychain provided by iOS in general.
OpenVPN itself does not implement its own keychain but reuses what the system provides.

This said, since recent updates in the iOS API, each App importing key material stores it in a portion of the iOS keychain that is only accessible by that app. This why you can't see the key material imported through the system-wide import and viceversa.

To conclude, the reasons above are why OpenVPN Connect needs its own .ovpn12 extension and import any keymaterial by itself.

I hope this helps clarifying the situation.

[BillyIdle]

Thanks for the quick and helpful response.

Do you know of any apple (or other) documentation that calls out and describes this change? I'd like to read more about it. It seems a little odd to me that apple would turn the process of importing and managing keychain certificates over to non-apple applications, requiring things like filename extension changes, and possibly allowing third parties to mishandle certificates in a way not previously possible. It doesn't seem very "apple" to me

[ordex]

well, storing/reading/handling is still performed through their API. There is just this concept of "ownership" to avoid apps to fiddle with things that do not belong to them.
Maybe the "Discussion" paragraph at the end of [1] has some hints. However I don't know when this change was implemented exactly.

[1] https://developer.apple.com/documentati ... nguage=occ

[ordex]

Just for the records: this approach has been discussed with Apple exactly because when developing the new version of Connect we did hit this issue and we needed a way to get access to PKCS#12 bundles again.