How do I use a client certificate and private key from .....

[R1200CL]

From OpenVPN help :

Q: How do I use a client certificate and private key from the iOS Keychain?

A: Using the iOS keychain to store your private key has the added security advantage of leveraging on the hardware-backed keystores that exist on many iOS devices, allowing the key to be protected by the iOS-level device password, and preventing key compromise even if the device is rooted.

If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the iOS Keychain using Mail or Safari.

Note that on iOS, when you import a PKCS#12 file into the Keychain, only the client certificate and private key are imported. The CA (certificate authority) certificates are NOT imported (unless you manually extract the CA certificates and import them separately, one-at-a-time). Therefore, the CA list must be given in the profile using the ca directive. If you already have a PKCS#12 file, the CA list may be extracted from the file using this openssl command, where the CA certs in client.p12 are written to ca.crt:

openssl pkcs12 -in client.p12 -cacerts -nokeys -out ca.crt
Then add a reference to ca.crt to your profile:

ca ca.crt
or paste the contents of ca.crt directly into your profile:

<ca>
paste contents of ca.crt here
</ca>
If you don't have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using this openssl command (where cert, key, and ca are your client certificate, client key, and root CA files).

openssl pkcs12 -export -in cert -inkey key -certfile ca -name MyClient -out client.p12
Then import the client.p12 file from the previous step into the app using Mail or Safari.

Once this is done, remove the cert and key directives from your .ovpn file and re-import it, making sure that the ca directive remains. Once imported, any profile that lacks cert and key directives will cause a Certificate row to appear on the main view, allowing the profile to be linked with an Identity from the iOS Keychain (on iOS, an Identity refers to a certificate/private-key pair that was previously imported using a PKCS#12 file). Touch the Certificate row and select the MyClient certificate. At this point, you should be able to connect normally.

Q: When I try to import a PKCS#12 file, why am I being asked for a password?

A: When you generate a PKCS#12 file, you will always be asked for an "export password" to encrypt the file. This password must again be presented when the PKCS#12 file is imported into the iOS Keychain. This is to prevent interception and recovery of the private key during transport.

Q: Why doesn't the PKCS#12 file in my OpenVPN configuration file work the same as on desktop systems?

PKCS#12 files on iOS are used somewhat differently than on desktop versions of OpenVPN. In desktop versions, PKCS#12 files can be bundled or referenced in the OpenVPN profile. On iOS, however, PKCS#12 management is built into the iOS Keychain. This approach is much better from a security perspective, because the Keychain can then leverage on hardware features in the device such as hardware-backed keystores. However, it does require that the PKCS#12 file is loaded into the iOS Keychain as a separate step from importing the OpenVPN profile. It also moves the responsibility for managing PKCS#12 files to the iOS Keychain, and away from OpenVPN, so it can potentially introduce compatibility issues.

To use a PKCS#12 file on iOS, see the FAQ item above: How do I use a client certificate and private key from the iOS Keychain?

Q: After importing my PKCS#12 file into the iOS Keychain, I am getting an error when I try to connect: "PolarSSL: ca certificate is undefined"

A: This error can occur if you don't include a ca directive in your profile, since the iOS Keychain does not provide the CA list from the PKCS#12 file to OpenVPN. The solution is to extract the CA list from the PKCS#12 file and add it to your profile via the ca directive. This is discussed in detail in the FAQ item above: How do I use a client certificate and private key from the iOS Keychain?

—----------------

So I have a ovpn file and a p12 file. (From Ipcop) Files works fine on a PC.
My ovpn looks like this:

#OpenVPN Server conf
tls-client
client
dev tun
proto tcp
tun-mtu 1400
remote xxsomethingxx.org portnumber
pkcs12 XXmynameXX.p12
cipher BF-CBC
comp-lzo
verb 3
ns-cert-type server
#route-method exe
#route-delay 2
auth-nocache

I like to use mail, but understand I need to do something in order to make this work on my iPad.
Can someone be kind enough to take time to explain to me in a better way than this help guide, what exactly I shall do?

(I,m getting the error "CORE_ERROR PolarSSL: ca certificate is undefined )

[Traffic]

It looks like this:

I,m getting the error "CORE_ERROR PolarSSL: ca certificate is undefined

Q: After importing my PKCS#12 file into the iOS Keychain, I am getting an error when I try to connect: "PolarSSL: ca certificate is undefined"

A: This error can occur if you don't include a ca directive in your profile

you need the ca.crt from the server and then define a ca block in your client profile:

Code: Select all

<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>

Perhaps this will help:
https://community.openvpn.net/openvpn/wiki/IOSinline