On Tue, Oct 21, 2014 at 3:00 PM, David Frank <bitinn at gmail.com> wrote: >>> - certtool --to-p12 --load-ca-certificate ca-cert.pem --load-privkey >>> >user-key.pem --load-certificate user-cert.pem --outfile user.p12 >> The equivalent: >> MAC info: >> MAC: SHA1 (1.3.14.3.2.26) >> >> BAG #0 >> Type: Encrypted >> Cipher: ARCFOUR-128 >> Schema: PKCS12-ARCFOUR-SHA1 (1.2.840.113549.1.12.1.1) >> >> BAG #1 >> Type: Encrypted >> Cipher: ARCFOUR-128 >> Schema: PKCS12-ARCFOUR-SHA1 (1.2.840.113549.1.12.1.1) >> So I'd suggest to use --pkcs-cipher=3des-pkcs12 as algorithm. That will >> also be the default in certtool in 3.4.0. > Tried both 3des and aes, unforunately no good on iOS AnyConnect, same vague > error message. I guess then the only remaining possibility is that anyconnect client requires the key to be in encrypted PKCS #8 format, and placed unencrypted in the PKCS #12 structure, instead of encrypted in PKCS #12. Too bad that the designers of PKCS #12 are not the ones who are expected to fix that mess. regards, Nikos
