Description: OpenVPN Connect supports external certificates on PKCS#11 hardware tokens for VPN connections. This page provides an overview of setting it up on your device. The instructions are applicable for Yubikey hardware tokens with PKCS#11 support, such as Yubikey 5 NFC. You can try the same steps with modules for hardware tokens of other vendors.
Note: Support for PKCS#11 hardware tokens requires Windows or macOS and OpenVPN Connect 3.3 and newer.
Important note: OpenVPN Connect 3.5 supports loading ECC certificates when using hardware tokens such as Yubikey. Use RSA-based certificates for other versions. OpenVPN Access Server 2.9 and newer supports multiple CAs per server.
Before you begin
- Installed OpenVPN Connect on Windows or macOS.
- Hardware tokens with PKCS#11 support. In this guide, we will use Yubikey 5 NFC.
- Installed hardware token management software CLI Tool (Yubico PIV Tool). (Refer to the Yubikey site: Yubico PIV Tool.)
- Installed hardware token management software UI Tool (YubiKey Manager). (Refer to the Yubikey site: YubiKey Manager.)
Note: In this guide, we will use YubiKey as a hardware token. If you're using another hardware token, refer to the vendor documentation for instructions about how to use their software and import the client certificate and private key.
Step by Step
Edit the Client Profile
- Download a user-locked or auto-login connection profile from your Access Server.
- Open the connection profile (.ovpn file) with a text editor, copy the content between "<cert>" and "</cert>", and paste it into a new file like this:
-----BEGIN CERTIFICATE-----
MIIBnjCCASWgAwIBAgIIWZHeXiokANswCgYIKoZIzjXEAwIwFTETMBEGAXUEAwwK
TXBlblZQTiBDQTAeFwXyNDAXMDQxOTMXMzdaFwXzNDAXMDMxOTMXMzdaMBIxEDAO
BgNVBAMMBXXwZWXXcGXwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATWGXrEXwZXRtsP
NtTynxSnXXy+XMdhEEvNXNxEODPGmubXXwQMSXzHfWXXhMFAkJalrdXNIAIqLarg
YytVxQDXKINlIo+bDXXzUiXXBnUGudSAXeXXfABVtE/XImSs/TWjRTBDMAwGAXUd
EwEB/wQCMAAwCwYDVRXPBAQDAgeAMBMGAXUdJQQMMAoGCCsGAQUFBwMCMBEGCWCG
SAGG+EIBAQQEAwIHgDAKBggqhkjOPQQDAgNnADBkAjBuQKXNOWcDGYCXfXjcRk+W
pX+G+cMIXwxeqPNQfXBgXyiXvsdzSX/CrKiTctrUeqYCMGXXBSXJkgkXmYJEkWcO
cAyXclSXnAXfgnXzojsXilXXXyFXXXcXBLXTkXPzXXqLkA==
-----END CERTIFICATE----- - Save this file as "yubico-cert.crt".
- Also, copy the content between "<key>" and "</key>":
-----BEGIN PRIVATE KEY-----
MIGXAgEAMBAGByqGSMXXAgEGBSuBBAAiBIGeMIGbAgEBBDDXHhJXYZbXfGXcbVuP
XOKwGCXqXPgNHL/XBTHXSXANXgqrKYl/viYhdRXAKTa+gMKhZANiAATWGXrEXwZX
RtsPNtTynxSnXXy+XMdhEEvNXNxEODPGmubXXwQMSXzHfWXXhMFAkJalrdXNIAIq
LargYytVxQDXKINlIo+bDXXzUiXXBnUGudSAXeXXfABVtE/XImSs/TU=
-----END PRIVATE KEY----- - Save this file as "yubico-private.key".
- Remove the content from "<cert>" to "</cert>" and "<key>" to "</key>" from the connection profile (.ovpn file) and save the file as "yubico-profile.ovpn".
You should now have three files:
- The connection profile ("yubico-profile.ovpn").
- The client certificate ("yubico-cert.crt").
- The private key ("yubico-private.key").
Import the Client Certificate and Private Key into the Hardware Token (Yubikey)
Note: For this step, we can use either "Yubico PIV Tool" (CLI) or "YubiKey Manager" (UI).
You have two options to import the client certificate and private key:
- Import the client certificate and private key as two separate files.
- Import the client certificate and private key as a single file with either the .p12 or .pfx extension.
Option 1: Importing the client certificate and private key as two separate files
Using "Yubico PIV Tool"
- Ensure that your hardware token (Yubikey) is connected to your PC.
- Open Windows CMD and run this command:
cd C:\Program Files\Yubico\Yubico PIV Tool\bin
- Now we can run "yubico-piv-tool" commands to import the client certificate and private key.
- We now have two files in the below directories:
C:\Users\Brandon\Documents\YUBICO\yubico-cert.crt
Run these commands to import the client certificate and private key (replacing values where appropriate for your setup):
C:\Users\Brandon\Documents\YUBICO\yubico-private.key
yubico-piv-tool -a import-certificate -s 9a -i C:\Users\Brandon\Documents\YUBICO\yubico-cert.crt
If everything goes well, you will see something like this:
yubico-piv-tool -a import-key -s 9a -i C:\Users\Brandon\Documents\YUBICO\yubico-private.keyC:\Program Files\Yubico\Yubico PIV Tool\bin>yubico-piv-tool -a import-certificate -s 9a -i C:\Users\Brandon\Documents\YUBICO\yubico-cert.crt
Successfully imported a new certificate.
C:\Program Files\Yubico\Yubico PIV Tool\bin>yubico-piv-tool -a import-key -s 9a -i C:\Users\Brandon\Documents\YUBICO\yubico-private.key
Successfully imported a new private key.
Important
Ensure you import the private key and certificate in the same slot on the token.
Using "YubiKey Manager"
- Make sure that your hardware token (Yubikey) is connected to your PC.
- Open the "YubiKey Manager" program from your PC and confirm that your hardware token is connected:
- Go to Applications > PIV:
- Click Configure Certificates:
- Click Import under the Authentication tab:
- Select the client certificate file ("yubico-cert.crt") and click Import. If everything goes well, you will see something like this:
- Click Import on the Authentication tab.
- Select the private key file ("yubico-private.key") and click Import. If everything goes well, you will see something like this:
Note: You won't see any private key under the authentication tab, but if you see the "Private key was imported to slot 9a", then you're good to go.
Option 2: Importing the client certificate and private key as one single file with .p12 or .pfx extension
Using "YubiKey Manager"
- Ensure that your hardware token (Yubikey) is connected to your PC.
- Open the "YubiKey Manager" program from your PC and confirm that your hardware token is connected:
- Go to "Applications > PIV":
- Click on Configure Certificates:
- Click Import on the Authentication tab:
- Select the bundled file (.p12 or .pfx) and click Import. If everything goes well, you will see something like this:
Locate and copy the vendor module so the OpenVPN Connect v3 can recognize it
Find your operating system below and follow the steps.
Windows
- Press Windows + R to launch the Windows Run prompt.
- Enter sysdm.cpl and press Enter to launch the System Properties window:
- ClickAdvanced to access the Environment Variables button:
- Under System Variables, highlight Path and click Edit…:
- Click New and add C:\Program Files\Yubico\Yubico PIV Tool\bin then click OK:
- Go to C:\Program Files\Yubico\Yubico PIV Tool\bin and copy the file named libykcs11.dll:
- Go to C:\Program Files\OpenVPN Connect and create a new folder named pkcs11_modules:
- Open the new directory and paste the file named libykcs11.dll you copied in step 6.
macOS
- Locate the library:
/usr/local/lib/libykcs11.x.x.x.dylib
E.g., libykcs11.2.3.1.dylib — ensure it's a file, not a symlink. - Open Terminal and execute this command to create a symlink to the library file:
ln -s /usr/local/lib/libykcs11.x.x.x.dylib ~/.pkcs11_modules/libykcs11.dylib
Where x.x.x is the version of the file from step one. - If the ".pkcs11_modules" directory doesn't exist, you will see an error like this one below:
If so, create it:ln: /Users/brandon/.pkcs11_modules/libykcs11.dylib: No such file or directory
mkdir ~/.pkcs11_modules
- Open Terminal and execute this command to create a symlink to the library file:
ln -s /usr/local/lib/libykcs11.2.3.1.dylib ~/.pkcs11_modules/libykcs11.dylib
- You can check that everything is in place by using the below command:
ls -al .pkcs11_modules
Note: As of this writing, I used the 2.3.1 version from the Yubico PIV Tool site. If you use a different version, verify on directory /usr/local/lib/ which you are using, and adjust accordingly, libykcs11.x.x.x.dylib, where x.x.x is the version)
Assign an external certificate to the profile
- Shut down OpenVPN Connect. if it's running.
- Launch OpenVPN Connect.
- Import the connection profile, yubico-profile.ovpn.
- Click or tap the Edit icon for the profile:
- Under Certificate and Key, click or tap Assign
: - Click or tap Hardware Tokens.
- Select the hardware token from the list and click Authorize.
- Enter a PIN for the desired hardware token and click OK.
- After successful authorization, choose the certificate and key for connection with the profile and click Confirm.
In our case, the client certificate has the VPN username (yubico-user), and the private key is "Private Key for PIV Authentication". - Save the profile configuration.
Connect with a profile and the hardware token
Now that you have a proper certificate and key assigned to the profile, let's connect using the profile and the hardware token (Yubikey).
- Click or tap the profile toggle to connect.
-
Enter a PIN for the desired hardware token and click OK.
- After a successful connection, OpenVPN Connect displays connection statistics:
Important
Keep the hardware token plugged in during the connection process.
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.