With this method I can create a wrapped private key and connect to our vpn. However I still need to extract the certificates to connect. With my original p12(not wrapped) I can connect to our vpn gateway without specifying the certificates. I am wondering if there is a way to repack the tpm wrapped private key and certs into a new p12 file . i.e. create_tpm2_key -w private.pem private-key-tpm-wrapped.pem cat private-key-tpm-wrapped.pem > new.pem cat user_cert.crt >> new.pem cat ca_cert.crt >> new.pem openssl pkcs12 -export -nodes -CAfile ca_cert.crt -in new.pem -out wrapped-vpn.p12 Gives an unable to load private key? On Wed, Mar 4, 2020 at 10:20 PM David Woodhouse <dwmw2@xxxxxxxxxxxxx> wrote: > > On Wed, 2020-03-04 at 07:56 -0800, James Bottomley wrote: > > PKCS12 is a fairly common key wrapping protocol, particularly used by > > Microsoft, so add the ability to wrap PKCS12 keys. The wrap merely > > searches the PKCS12 bag for the private key, ignores all the > > certificates and produces a TPM wrapped version of the private key it > > finds. We can discriminate easily between PKCS12 and PEM private keys > > because the PKCS12 DER is a very specific ASN.1 format, so we don't > > need to know what type of keyfile we have, we just try both formats to > > see if it will import. > > > > Signed-off-by: James Bottomley <James.Bottomley@xxxxxxxxxxxxxxxxxxxxx> > > Looks good to me; thanks. Much better than trying to teach users how to > do the conversion for themselves. > > Minor nit: in the documentation, please use 'PKCS#12' not 'PKCS12'. > Likewise for PKCS#1 and PKCS#8. > > FWIW the OpenConnect test suite includes certificates in a bunch of > similar formats you might want to also consider supporting: > http://git.infradead.org/users/dwmw2/openconnect.git/blob/HEAD:/tests/Makefile.am _______________________________________________ openconnect-devel mailing list openconnect-devel@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/openconnect-devel
