OpenVPN Support Forum

Community Support Forum
https://forums.openvpn.net/

App does not ask for inline certificate password

https://forums.openvpn.net/viewtopic.php?t=29556

Page 1 of 1

App does not ask for inline certificate password

Posted: Sun Jan 26, 2020 9:17 am
by slaver7
Hi,

our server needs 2 passwords, one for the user account, one for the embedded server certificate.

client.ovpn

client

dev tun
remote server 1194
proto udp

resolv-retry infinite
auth-retry none
auth-user-pass

nobind
persist-key
persist-tun

ecdh-curve secp521r1
auth SHA512
cipher AES-256-GCM
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
remote-cert-tls server

mute-replay-warnings
explicit-exit-notify 1

verb 3
mute 20

reneg-sec 0
<ca>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</ca>
<tls-crypt>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----
</tls-crypt>
<key>
-----BEGIN EC PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
-----END EC PRIVATE KEY-----
</key>
<cert>
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
</cert>


After importing the configuration via safari (and copy it to ovpn), use app will ask for a user and password. After that the connection throws an error like

Code: Select all

mbed TLS: error parsing config private key : PK - Given private key password does not allow for correct decryption [ERR]
Where I have to set the certificate passphrase?

Re: App does not ask for inline certificate password

Posted: Sun Jan 26, 2020 9:47 am
by slaver7
After reading

https://community.openvpn.net/openvpn/t ... um_hist=12

I convert my key to an pkcs8 file using

Code: Select all

openssl pkcs8 -topk8 -in "${VPN_USERNAME}.key" -passout pass:"${VPN_PASSWORD}"
The UI is now asking for an certificate password but I get the error

Code: Select all

mbed TLS: error parsing config private key PKCS5 - Requested encryption or digest alg not available

Re: App does not ask for inline certificate password

Posted: Sun Jan 26, 2020 9:57 am
by slaver7
Using

Code: Select all

openssl pkcs8 -topk8 -in "${VPN_USERNAME}.key" -passout pass:"${VPN_PASSWORD}" -v1 PBE-SHA1-3DES
resolves the "Requested encryption or digest alg not available error" but now I a new error:

Code: Select all

mbed TLS: error parsing config private key : PKCS12 - Bad input parameters to function
Edit:
It look like "-v2 des3 -v2prf hmacWithSHA1" is required. If i'm using

Code: Select all

openssl pkcs8 -topk8 -in "${VPN_USERNAME}.key" -passout pass:"${VPN_PASSWORD}" -v2 des3 -v2prf hmacWithSHA1
I the private key can used

Re: App does not ask for inline certificate password

Posted: Sun Jan 26, 2020 12:53 pm
by TinCanTech
You may find it easier to generate your PKI with easy-rsa:
https://github.com/OpenVPN/easy-rsa/releases

Re: App does not ask for inline certificate password

Posted: Sun Jan 26, 2020 10:47 pm
by slaver7
I'm already using easyrsa but the installed version can not protect the keys without interaction.

Thanks

Re: App does not ask for inline certificate password

Posted: Sun Jan 26, 2020 10:53 pm
by TinCanTech
That is the point of having a password ..... interaction by an authorised entity.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited
https://www.phpbb.com/