W dniu 2016-09-22 16:06, David Woodhouse napisa?(a): > On Wed, 2016-09-21 at 16:26 +0200, Miko?aj Stefaniak wrote: >> Hello, >> >> I'm looking for some help with openconnect and p7b client certificate. >> On Windows I can import p7b (that has no private key) certificate to? >> windows cert store and later use it in AnyConnect. > > But a PKCS#7 file really does contain only the certificate. You can't > use that on its own; there *needs* to be a private key which > corresponds to it. > > At least, you do for client authentication. Or was this just the > certificate for your VPN server, which is otherwise invalid? In that > case, you want to be using the PEM file with the --cafile option, not > the -c option. Yeach and that is the whole mystery. I got PKCS#7 certificate file from my IT department - obviously there is no key inside. Despite that I could import this certificate to windows certmgr and Windows Anyconnect is using it as client certificate in TLS handshake (I inspected this with Wireshark). It is possible to use this certificate in Firefox even! (when accessing https vpn site) This is really confusing as even Linux version of Anyconnect requires PEM cert with a key... No idea how to proceed with this, looks like windows certificate managment is somehow special.....
