I attempted to build a simple PKI using the examples in ocserv(8). Last step in the generation of a client certificate is the conversion of a certificate in to PKCS #12. Unfortunately the resulting file is not compatible with openconnect (tested in OSX and OpenBSD): # sudo openconnect -v -c pkcs12.p12 vpn.example.com POST https://vpn.example.com Attempting to connect to server a.b.c.d:443 Using certificate file pkcs12.p12 Loading certificate failed: No certificate found in file Loading certificate failed. Aborting. Failed to open HTTPS connection to vpn.example.com Failed to obtain WebVPN cookie I suspect that openconnect does not like PKCS #12 in PEM format. It does however like DER format. Easy solution is to change the certtool example in ocserv(8) to include the --outder switch. Real solution would be enabling openconnect to accept both PEM and DER format. Implementation of the latter is out of my league. Suggested change: diff --git a/src/ocserv-args.def b/src/ocserv-args.def index f3ea780..5e7b695 100644 --- a/src/ocserv-args.def +++ b/src/ocserv-args.def @@ -680,7 +680,7 @@ $ certtool --generate-certificate --load-privkey user-key.pem \ --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem \ --template user.tmpl --outfile user-cert.pem -$ certtool --to-p12 --load-privkey user-key.pem \ +$ certtool --to-p12 --outder --load-privkey user-key.pem \ --pkcs-cipher 3des-pkcs12 \ --load-certificate user-cert.pem \ --outfile user.p12 OK? -- Bj?rn Ketelaars GPG key: 0x4F0E5F21
