VPN-On-Demand configuration error: CertificateRef undefined

[prosperot]

Does anyone know what this error means...

I tried to add the ca cert en key details in de config.ovpn and loaded the keys via p12 onto my iPad but this didn't help..

tia

[gdanielv]

prosperot, did you follow this instructions from the Help section?

Q: Can I use iOS 6 VPN-On-Demand with OpenVPN?
A: Yes. VPN-On-Demand (VoD) is a new technology introduced by Apple in iOS 6 that allows a VPN profile to specify the conditions under which it will automatically connect. OpenVPN on iOS fully supports VoD, with the following features:
• The iPhone Configuration Utility can be used to create an OpenVPN VoD profile by entering OpenVPN configuration file parameters as key/ value pairs.
• The OpenVPN app supports connect and disconnect actions triggered by the iOS VoD subsystem.
• The OpenVPN app recognizes VoD profiles and will show them in the UI and allow them to be monitored and controlled like other OpenVPN
profiles (with the exception that VoD profiles cannot be manually connected from the app UI, they can only be disconnected -- this is because
a VoD profile is designed to be connected automatically by iOS).
OpenVPN VoD profiles can be created using the iPhone Configuration utility. Unfortunately, the process is a bit cumbersome at the moment because the directives of the OpenVPN profile must be manually entered as key/value pairs into the iPhone Configuration utility UI. In the future, we plan to streamline this process with an automated conversion tool that will convert an OpenVPN profile into an iOS VoD profile.
For now, to create a VoD profile, open the iPhone Configuration utility (these directions were tested with version 3.5 on a Mac tethered to an iPad running iOS 6.0.1), go to the File menu, and select "New Configuration Profile".
Next, edit the newly created Configuration Profile. Click on Generalin the left pane and fill out the fields such as Name, Identifier, Organization, etc. Click on VPN in the left pane and a "Configure VPN" dialog box should appear in the main window. Click the "Configure" button. Fill out the VPN settings as described below:
• Connection Name should be set to a name that will identity this profile on the device
• Connection Type should be set to Custom SSL
• Identifier should be set to "net.openvpn.OpenVPN-Connect.vpnplugin"
• Server can be set to a hostname, or "DEFAULT" to use the hostname(s) from the OpenVPN configuration.
• User Authentication should be set to Certificate, and the client certificate+key should be attached as a PKCS#12 file.
• VPN On Demand should be enabled and match entries should be defined to instruct iOS under which conditions the VPN profile should be
automatically connected.
In addition, parameters normally given in the OpenVPN client configuration file may instead be defined using key/value pairs:
• VoD requires an OpenVPN autologin profile, i.e. a profile that authenticates using only a client certificate and key, without requiring a connection password.
• Define each OpenVPN directive as a key, with arguments specified as the value. As in the OpenVPN configuration file, arguments are space- delimited and may be quoted.
• At a minimum, key/value pairs forca and remote must be defined.
• Key value pairs for tls-auth,comp-lzo, cipher, ns-cert-type, and remote-cert-tls must be defined if the server requires them.
• For OpenVPN directives with no arguments, use "NOARGS" as the value.
• If multiple instances of the same directive are present, when entering the directive as a key, number the directives in the order they should be
given to OpenVPN by appending .n to the directive, where n is an integer, such asremote.1 or remote.2
• For multi-line directives such asca and tls-auth, where the argument is a multi-line file, an escaping model has been provided to allow the file
content to be specified as a single-line value. The procedure is to convert the multi-line data to a single line by replacing line breaks with "\n".
Note that because of this escaping model, you must use "\\" to pass backslash itself.
• For OpenVPN Access Server meta-directives such as "OVPN_ACCESS_SERVER_USERNAME", remove
theOVPN_ACCESS_SERVER_prefix, giving USERNAME as the directive.
Once the VoD profile has been defined, you have two options for exporting it to an iOS device:
• If your device is currently tethered, click on your device name in the left pane. Then in the main window, click on the Configuration Profiles tab. You should see the name of your Configuration Profile and a button to install it on the device.
• You can also save the Configuration Profile as a .mobileconfig file, and make it available to iOS clients via email or the web. To do this, select your Configuration Profile, go to the File menu, and select "Export...". An Export Configuration Profile dialog box will appear. Select a Security option -- "Sign configuration profile" is a reasonable choice. Press the Export button and save the profile.
When an iOS device receives a VoD profile (via Mail attachment, Safari download, or pushed by the iPhone Configuration utility), it will raise a dialog box to facilitate import of the profile. After import, the profile will be visible in the Settings App under General / Profiles. It will also be visible as a profile in the OpenVPN app. Note that the profile must be the currently enabled VPN profile in order for the VoD functionality to work.

[prosperot]

I don't use the VOD, juist de .ovpn file and de ca.crt client.crt and client.key..

Strangely this works flawless on my (non jailbreaked) iPad 2...

So I guess it must be:

a iPad 1 vs iPad 2
b ios 5.1.1 vs ios 6
c jailbreak vs original
d all of the above.

[jamesyonan]

For VPN-On-Demand (VoD) connections, CertificateRef undefined means that the VoD profile is missing a bundled certificate/private-key. When making a VoD profile, be sure to bundle a PKCS#12 file with client certificate and key.

James

[snison]

Hi all:

I'm using iOS App Store OpenVPN Connect Private Tunnel/Chicago and running into the same issue.

VPN-On-Demand configuration error: CertificateRef undefined

I have deleted, rebooted, and reimported Private Tunnel/Chicago Autologin profile (Chicago.ovpn). The solution suggested below does me no good since I do not control the server. iPhone 3,3CDMA 5.1.1.

TIA

[philippe44]

2 things matter a lot :

1- When you do your profile with the iphone tool, in the key/value entry, you must enter for the "ca" value the exact containt of your ca.crt file, BUT, every 0xA must be replaced by "\n" so that it become a single ligne (in other words you do have to escape the new line)

2- Prior to this, did you import in the Windows certificate manager your pkcs#12 certificate that include the CA and your private and public key and made the private key exportable ? Then did you choose the correct client certificate in the long list proposed by the iPhone Utility when you want to add a "Credential" item

[JayWheel]

I had the exact same error, finally figured it out: I had xCon installed (Cydia tweak so I can watch UPC on my JB iPhone).
After removing xCon, problem was solved.

[snison]

where is the "iPhone Utility" you speak of?

[dangil]

I managed to configure the profile using these instructions.

Installed the profile, and it worked. the profile appears both on iOS and inside OpenVPN Connect as a VPN-On-Demand profile

but if I close iPhone Configurator Utility 3.6.2.300 and reopen, the CustomSSL VPN profile turns to OpenVPN, and the key/store values are lost. the .mobileconfig created by the utility inside c:\users\<username>\AppData\Local\Apple Computer\MobileDevice\Configuration Profiles\ gets overwritten, without the proper values in the section:

<key>VendorConfig</key>
<dict>
<key>ca</key>
<string><certificate></string>
<key>comp-lzo</key>
<string>NOARGS</string>
<key>remote</key>
<string>host 1194</string>
</dict>


if I remove and reinstall the profile on my phone, it no longer works, crashing the openvpn app. the connection profile doesn't show up on OpenVPN connect as well.

I guess iPCU is not fully compatible with OpenVPN yet.

[atothek]

I had the exact same error, finally figured it out: I had xCon installed (Cydia tweak so I can watch UPC on my JB iPhone).
After removing xCon, problem was solved.

Thanks so much! Fixed it for me right away. Greatly appreciate it.

[JayWheel]

Problem is solved in the latest version of xCon.

You need xCon v38 beta 8 or higher (currently at beta 22).

Add repo http://n00neimp0rtant.dyndns.org/repo/ to cydia for a newer version.

[Nucleardragon]

I managed to configure the profile using these instructions.

Installed the profile, and it worked. the profile appears both on iOS and inside OpenVPN Connect as a VPN-On-Demand profile

but if I close iPhone Configurator Utility 3.6.2.300 and reopen, the CustomSSL VPN profile turns to OpenVPN, and the key/store values are lost. the .mobileconfig created by the utility inside c:\users\<username>\AppData\Local\Apple Computer\MobileDevice\Configuration Profiles\ gets overwritten, without the proper values in the section:

<key>VendorConfig</key>
<dict>
<key>ca</key>
<string><certificate></string>
<key>comp-lzo</key>
<string>NOARGS</string>
<key>remote</key>
<string>host 1194</string>
</dict>


if I remove and reinstall the profile on my phone, it no longer works, crashing the openvpn app. the connection profile doesn't show up on OpenVPN connect as well.

I guess iPCU is not fully compatible with OpenVPN yet.

Pls help me , how to add a key *.p12 into iOS via the iPhone Configuration Utility (v 3.6.2.3)
I add a certificate to the "Credentials", but on the VPN settings page, I can't select the certificate (menu "Add Credentials in the Credentials payload")