Help creating a .p12 file for use with Android

[stevedub40]

Hello all,

I was able to finally get the server side of OpenVPN to work, and now I need some assistance with setting it up on Android. I tried using the Market app called OpenVPN Settings, but it would not allow me to check the box next to my *.ovpn file. I am now trying to connect via the built in Android VPN, which requires a compiled .p12 file loaded. Here is the errors I get when trying to do so:

Code: Select all

C:\Program Files (x86)\OpenVPN\bin>openssl pkcs12 -export -in "C:\Program Files
(x86)\OpenVPN\config" -inkey "C:\Program Files (x86)\OpenVPN\config" -certfile "
C:\Program Files (x86)\OpenVPN\config" -name  "WojoHome" -out "certs.p12"
5552:error:02001005:system library:fopen:Input/output error:.\crypto\bio\bss_fil
e.c:169:fopen('C:\openssl\ssl','rb')
5552:error:2006D002:BIO routines:BIO_new_file:system lib:.\crypto\bio\bss_file.c
:174:
5552:error:0E078002:configuration file routines:DEF_LOAD:system lib:.\crypto\con
f\conf_def.c:199:

[stevedub40]

Okay, I have moved some files around and tried some different things. I know seem to get a constant error stating I don't have permission on the folder that contains the files needed for the pkcs12 key. Here is the error I get now:

Code: Select all

C:\openssl\ssl>openssl pkcs12 -export -in C:\openssl\ssl -inkey C:\openssl\ssl -
certfile C:\openssl\ssl -name  WojoHome -out android.p12
Loading 'screen' into random state - done
Error opening input file C:\openssl\ssl
C:\openssl\ssl: Permission denied

[Mimiko]

Check sequrity permission.

[janjust]

C:\openssl\ssl>openssl pkcs12 -export -in C:\openssl\ssl -inkey C:\openssl\ssl -
certfile C:\openssl\ssl -name WojoHome -out android.p12

where did the path 'C:\openssl]\ssl' come from all of a sudden? your openssl command seems wrong - you're passing the name of the (current) directory for several input parameters. How did you come up with this command?

I'd build a pkcs12 file using something like

Code: Select all

C:\Program Files (x86)\OpenVPN\easy-rsa\build-key-pkcs12 <name>

where are you storing your certificates?

[stevedub40]

I initially had my openssl files located there because of the name space issues with windows. When I get home I will try the bat file again. I had trouble with that at first as well.

[stevedub40]

Okay, I had some time to mess with things a bit. I ran the bat file as you suggested, but for some reason it seems like it cannot see my .crt file, which I have copied and placed in a number of directories hoping to make it work. Here is the error that I get:

Code: Select all

C:\Program Files (x86)\OpenVPN\easy-rsa>build-key-pkcs12 Android
C:\Program Files (x86)\OpenVPN\easy-rsa
req [options] <infile >outfile
where options  are
 -inform arg    input format - DER or PEM
 -outform arg   output format - DER or PEM
 -in arg        input file
 -out arg       output file
 -text          text form of request
 -pubkey        output public key
 -noout         do not output REQ
 -verify        verify signature on REQ
 -modulus       RSA modulus
 -nodes         don't encrypt the output key
 -engine e      use engine e, possibly a hardware device
 -subject       output the request's subject
 -passin        private key password source
 -key file      use the private key contained in file
 -keyform arg   key file format
 -keyout arg    file to send the key to
 -rand file;file;...
                load the file (or the files in the directory) into
                the random number generator
 -newkey rsa:bits generate a new RSA key of 'bits' in size
 -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
 -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)
 -config file   request template file.
 -subj arg      set or modify request subject
 -new           new request.
 -batch         do not ask anything during request generation
 -x509          output a x509 structure instead of a cert. req.
 -days          number of days a certificate generated by -x509 is valid for.
 -set_serial    serial number to use for a certificate generated by -x509.
 -newhdr        output "NEW" in the header lines
 -asn1-kludge   Output the 'request' in a format that is wrong but some CA's
                have been reported as requiring
 -extensions .. specify certificate extension section (override value in config
file)
 -reqexts ..    specify request extension section (override value in config file
)
 -utf8          input characters are UTF8 (default ASCII)
 -nameopt arg    - various certificate name options
 -reqopt arg    - various request text options

unknown option -config
usage: ca args

 -verbose        - Talk alot while doing things
 -config file    - A config file
 -name arg       - The particular CA definition to use
 -gencrl         - Generate a new CRL
 -crldays days   - Days is when the next CRL is due
 -crlhours hours - Hours is when the next CRL is due
 -startdate YYMMDDHHMMSSZ  - certificate validity notBefore
 -enddate YYMMDDHHMMSSZ    - certificate validity notAfter (overrides -days)
 -days arg       - number of days to certify the certificate for
 -md arg         - md to use, one of md2, md5, sha or sha1
 -policy arg     - The CA 'policy' to support
 -keyfile arg    - private key file
 -keyform arg    - private key file format (PEM or ENGINE)
 -key arg        - key to decode the private key if it is encrypted
 -cert file      - The CA certificate
 -in file        - The input PEM encoded certificate request(s)
 -out file       - Where to put the output file(s)
 -outdir dir     - Where to put output certificates
 -infiles ....   - The last argument, requests to process
 -spkac file     - File contains DN and signed public key and challenge
 -ss_cert file   - File contains a self signed cert to sign
 -preserveDN     - Don't re-order the DN
 -noemailDN      - Don't add the EMAIL field into certificate' subject
 -batch          - Don't ask questions
 -msie_hack      - msie modifications to handle all those universal strings
 -revoke file    - Revoke a certificate (given in file)
 -subj arg       - Use arg instead of request's subject
 -extensions ..  - Extension section (override value in config file)
 -extfile file   - Configuration file with X509v3 extentions to add
 -crlexts ..     - CRL extension section (override value in config file)
 -engine e       - use engine e, possibly a hardware device.
 -status serial  - Shows certificate status given the serial number
 -updatedb       - Updates db for expired certificates
Loading 'screen' into random state - done
Error opening input file \Android.crt
\Android.crt: No such file or directory
Could Not Find C:\*.old

I just seems like it is not seeing where the necessary files are, but I believe that they should be in the right place somewhere. Where is the default location that the bat looks for the files? I see that the code has variables in place, which I tried to alter as well, with no luck.

[stevedub40]

Success!!!

I removed all the variable paths from the script and it worked! Here is what I used

Code: Select all

openssl pkcs12 -export -inkey Android.key -in Android.crt -certfile ca.crt -out Android.p12

Thank you guys so much for all your help. Without you guys I probably would have just given up. Thanks again!