OpenVPN Support Forum

I'm struggling with finding a way to get my OpenVPN connection up and running with a key/cert pair that I imported to my Yubikey. The connection works as intended with everything in the ovpn file, but when I try my new profile that makes use of the certificate pair on the Yubikey I receive an error for which I can't find a solution anywhere. No forum posts found.

OpenVPN server: Opnsense
OpenVPN client: Windows OpenVPN Connect 3.3.6
Yubikey: Yubikey 5

Error message: External Certificate signing failed

the log entries for the failed connection attempt:
Things I tried:
-Following the guide on openvpn's website for "support of PKCS#11 physical tokens for OpenVPN Connect". That means importing the ovpn file excluding the key and cert, and putting these last two on the yubikey in slot 9a. For this importing I succesfully used both yubico-piv-tool and the yubikey manager.
-Verify the cert with the yubico-piv-tool, succesful
-Googling

It can succesfully use the yubikey, as I need to insert it and provide the correct pin, but it sees the information in the slot as "wrong" somehow, even though the connection works fine when it's all integrated in the ovpn file.

Any help on this would be appreciated. I'd like this to work since it adds to security while being really user-friendly for a company that's already accustomed to using Yubikeys for everything.

I have the exactly same problem. I tried both with community and paid version of OpenVPN server and the result is the same. It errors out with message "EPKI_ERROR External Certificate Signing Failed".

There are not many resources or guides to find on this subject. It seems to me that, if this ever worked, it worked only in some rare cases - so this is not yet ready for the wider usage. I surely hope that I am wrong here.

Did anybody manage to setup certificates to be stored on Yubikey PIV and to use them to connect to OpenVPN server?

Indeed nothing to be found about it except that one guide on the openvpn website that doesn't work.

I still haven't gotten any further since, and no replies on reddit or stackoverflow either... Seems to me that really no-one is implementing this and it's not ready for use... So the only thing I can do is quote your question again:
"Did anybody manage to setup certificates to be stored on Yubikey PIV and to use them to connect to OpenVPN server?"

Hello,

These instructions are tested with each release of OpenVPN Connect v3.3 and newer for macOS and Windows with Yubikey:
https://openvpn.net/vpn-server-resource ... n-connect/

If you have problems with them, let us know what you're doing and what device you're using and any error messages you see. If there is sensitive data in the logs, use our support ticket system at https://openvpn.net/support

Good luck,
Johan

Finally I have made a progress..

Not sure where exactly problem is but.. I did manage to connect to server. What I did (on Windows 11 Pro):

• Installed OpenSC library (v 0.23 64bit)

• Installed OpenVPN GUI (Not OpenVPN connect)

• Configured client like this:

• and probably most important part - instead of using ECC type of key I generated RSA key! It did not work until I used RSA.

I used YubiKey to generate key (with YubiKey Manager GUI), exported CSR, signed it with VPN server CA, then back imported the certificate to YubiKey. Got the idea to use RSA when I saw similar error happening to people using flat file based keys and error message on server stating it "expects RSA key".

This is my recent find, so I cannot confirm that it is stable, but it's the first time I managed to get it to succesfully connect. I still cannot get OpenVPN Connect to work, but there are few things I need to test on that part.

@openvpn_inc - could you put some light on the type of key use tested with in your instructions you mention? Is it ECC or RSA ?

Update - It also works with OpenVPN Connect now. So ATM it seems to me that you need to use RSA based key, while ECC does not work in combination with YubiKey!

@openvpn_inc as stated in my first post, I have already tried to follow this guide, as it's the only real resource available on this topic. However, following this guide brings up the errors as discussed here.

@mmrvelj Well well... Seems like you found our issue! I was also using ECC keys.
Thank you for sharing your findings!
Unfortunately, changing this to RSA keys and thus reinstancing every client certificate would be too big of a hassle for me. I hope they roll out an update for OpenVPN connect to make this work with ECC as well, since the Yubikey 5 is supposed to work with ECC keys according to the Yubico website information (https://docs.yubico.com/hardware/yubike ... -apps.html).