Certificate import via iTunes

[pcm]

Hi,

I've exportered my ovpn and .crt file from my NAS.
Via iTunes I drop both of them in the OpenVPN app documents.
OpenVPN recognizes the ovpn file, but I still need to select a .crt file. When I hit this button, it says:
! No certificates are present in ...

Is this a user or application problem?

Best regards,
P

[pcm]

Hi,

I've exportered my ovpn and .crt file from my NAS.
Via iTunes I drop both of them in the OpenVPN app documents.
OpenVPN recognizes the ovpn file, but I still need to select a .crt file. When I hit this button, it says:
! No certificates are present in ...

Is this a user or application problem?

Best regards,
P

No certificates are present in Keychain.

[kraades]

No certificates are present in Keychain.

Yes, I have the same issue with the server running on a Synology DS211.

[pcm]

Yes, I have the same issue with the server running on a Synology DS211.

Mine is also a Synology.
It looks like the .ovpn file is ok. I've tried to import the .crt-file in my iOS, but no luck either.
I'm using iOS 6.0.2.

[kraades]

Me too. Same iOS version. Importing the crt does not help.

I also tried connecting to the Synology using the Windows 64-bit OpenVPN client that can be downloaded from this site. That works by the same principle by just copying the ca.crt and openvpn.ovpn file to the OpenVPN config directory. Then the connection is succesfull.

[dverkaik]

Same problem and IOS version here. I use a ds212J latest firmware DSM 4.1-4668.

Also Imported ca.crt on my ipad and that also didn't help.

[chriscjn]

Same here. IOS 6.0.2 running openvpn on pfsense. All config and certs work fine on other windows clients.

When I try to import into itunes IOS client accepts my config but I then need to select a certificate (required) but I get prompted with "No certificates are present in the Keychain"

Has anyone had any luck with this?

[kraades]

I did some more digging...

Usually you have the following entries in the config file:

Code: Select all

ca ca.crt
cert client.crt
key client.key

In the ovpn file that is downloaded from the Synology you only have:

Code: Select all

ca ca.crt

I guess this is because of the following setting:

Code: Select all

DS211> grep -i req /usr/syno/etc/packages/VPNCenter/openvpn/openvpn.conf
client-cert-not-required
DS211>

Could it be that the OpenVPN client for iOS is not compatible with this setup where no client cert and client key are required?

[kraades]

I could reproduce this with the config files from the HMA VPN service.

The config files can be downloaded from this location:
http://hidemyass.com/vpn-config/vpn-config.zip
(you have to delete the second line with 'ns-cert-type server' or else it won't work)

The config files have an inline <ca>, <cert> and <key> section.
The OpenVPN app for iOS can connect to the server.

Standard profile


If you delete the <cert> and <key> just like in the ovpn file downloaded from the Syno, you have the same issues:

External certificate profile


Two options:

Fix the OpenVPN app for iOS.

-or-

Generate the client.crt and client.key on the Synology and use these in the config.
(and delete the 'client-cert-not-required' from the Syno server config)

[walawa75]

Hello,

Same issue for me too. Please, fix the IOS app

Kraades, how do you do to generate the client.crt and client.key on the Synology and use these in the config ?

[Tri-Alex]

Hi,

I also have the same problem with this. We are also using one CA-certificate with username & password authentication. It seems that the app explicitly asks for a "client.key" and "client.crt". Otherwise it just gives the notification that no certificates are present. I tried to e-mail the CA-certificate & import it through that way, iOS accepts it, but OpenVPN App still doesn't. Every other client on Mac/PC desktop or laptop/macbook works except the mobile devices.

Also could this topic be moved to the OpenVPN Connect (iOS) section? cause I just accidentally stumbled upon this topic through google. But couldn't find it in the appropriate section.

[funkybeat]

good to see I'm not the only one with this problem.

I tried several different config file options without any success.

hopefully someone will find a solution soon.

thanks

[allanparsons]

Same issue here! Adding to watch this thread.

[varaway]

hi,

have onyone a solution for this problem?

Thanks Andi

[frriction]

Just add some random key and cert file, client sends them but server will ignore them.

Here are cert and key you can add below ones to your config.



<cert>
-----BEGIN CERTIFICATE-----
MIIB1jCCAT+gAwIBAgIEAmLSTjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP
cGVuVlBOIENBMB4XDTEzMDExNzAyMTExMloXDTIzMDEyMjAyMTExMlowKDEmMCQG
A1UEAxQdZnJyaWN0aW9uQGdtYWlsLmNvbV9BVVRPTE9HSU4wgZ8wDQYJKoZIhvcN
AQEBBQADgY0AMIGJAoGBALVEXIZYYu1Inmejuo4Si6Eo5AguTX5sg1pGbLkJSTR4
BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlUtWnVCwCYtewYfEc/+azH7+7eU6ue
T2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCedptgWyiL50N7FMcUUMjjXYh/hftB
AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3
DQEBBQUAA4GBABhVzSYXHlQEPNaKGmx9hMwwnNKcHgD9cCmC9lX/KR2Y+vT/QGxK
7sYlJInb/xmpa5TUQYc1nzDs9JBps1mCtZbYNNDpYnKINAKSDsM+KOQaSYQ2FhHk
bmBZk/K96P7VntzYI5S02+hOWnvjq5Wk4gOt1+L18+R/XujuxGbwnHW2
-----END CERTIFICATE-----
</cert>

<key>
-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVEXIZYYu1Inmej
uo4Si6Eo5AguTX5sg1pGbLkJSTR4BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlU
tWnVCwCYtewYfEc/+azH7+7eU6ueT2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCe
dptgWyiL50N7FMcUUMjjXYh/hftBAgMBAAECgYEAsNjgOEYVRhEaUlzfzmpzhakC
SKT8AALYaAPbYO+ZVzJdh8mIbg+xuF7A9G+7z+5ZL35lrpXKnONuvmlxkK5ESwvV
Q7EOQYCZCqa8xf3li3GUBLwcwXKtOUr3AYXhdbOh2viQdisD4Ky7H6/Nd3yMc3bu
R4pErmWeHei+l6dIwAECQQDqljNxi9babmHiei6lHaznCMg5+jfAyDXgHvO/afFr
1bDQVDTDK+64kax4E9pvDZC6B/HGse9hOUGWXTjb0WZBAkEAxdAw/14iJIUcE5sz
HDy2R0RmbUQYFjrNgBCi5tnmr1Ay1zHAs1VEF+Rg5IOtCBO50I9jm4WCSwCtN6zF
FoFVAQJAUGfBJDcZIm9ZL6ZPXJrqS5oP/wdLmtFE3hfd1gr7C8oHu7BREWB6h1qu
8c1kPlI4+/qDHWaZtQpJ977mIToJwQJAMcgUHKAm/YPWLgT31tpckRDgqgzh9u4z
e1A0ft5FlMcdFFT8BuWlblHWJIwSxp6YO6lqSuBNiuyPqxw6uVAxAQJAWGxOgn2I
fGkWLLw4WMpkFHmwDVTQVwhTpmMP8rWGYEdYX+k9HeOJyVMrJKg2ZPXOPtybrw8T
PUZE7FgzVNxypQ==
-----END PRIVATE KEY-----
</key>

[pcm]

Things will work if it's done correctly. Do not use default Syn. certificates.
Best thing to do is, generate your own certificates (cfr. Ubuntu manuel - Openvpn).
After creations you need to adept the server & client config files and put all certificates in the correct folders. (cfr. wiki Syn. how to use your own certificates -> creating my cert on Synology NAS didn"t work because of some missing dependencies).
Via iTunes you can upload your own root cert., iphone.key and iphone.crt together with openvpn.ovpn.

Now everything is working very fine!

[funkybeat]

hmmm after I added the <cert> and <key> I get the following error:

OpenVPN error : PolarSSL: error parsing ca certificate : X509 - The certificate format is invalid, e.g. different type expected [ERR]

My format is *.pem do I have to convert it in some way?

thanks

[allanparsons]

Same issue - invalid cert format.

[r3zon8]

Things will work if it's done correctly. Do not use default Syn. certificates.
Best thing to do is, generate your own certificates (cfr. Ubuntu manuel - Openvpn).
After creations you need to adept the server & client config files and put all certificates in the correct folders. (cfr. wiki Syn. how to use your own certificates -> creating my cert on Synology NAS didn"t work because of some missing dependencies).
Via iTunes you can upload your own root cert., iphone.key and iphone.crt together with openvpn.ovpn.

Now everything is working very fine!

pcm,

can you please explain or post the steps you took to get it to connect properly; ive tried to roughly understand and follow what you suggested but i think i missed some steps.

thanks!!

[pcm]

Things will work if it's done correctly. Do not use default Syn. certificates.
Best thing to do is, generate your own certificates (cfr. Ubuntu manuel - Openvpn).
After creations you need to adept the server & client config files and put all certificates in the correct folders. (cfr. wiki Syn. how to use your own certificates -> creating my cert on Synology NAS didn"t work because of some missing dependencies).
Via iTunes you can upload your own root cert., iphone.key and iphone.crt together with openvpn.ovpn.

Now everything is working very fine!

pcm,

can you please explain or post the steps you took to get it to connect properly; ive tried to roughly understand and follow what you suggested but i think i missed some steps.

thanks!!

I'll try this weekend to write things more into detail.