Overview
On OpenVPN Connect v3.5.x, a newer Windows API handles certificates, requiring the P12 file to include a 'friendly name' field in the certificate/key pair.
If the field is missing, the import will fail with an error message:
Why this happens
- Certificates generated using the certool command from Access Server and Microsoft Active Directory Certificate Services (AD CS) to generate P12/PFX files include the 'friendlyName' field by default.
- This issue only happens if you use openssl command without specifying the flag to include the 'friendlyName' field
Solution
Scenario 1: You have the original client certificate and key
- Regenerate the P12 file with the correct flag to include the 'friendlyName' field using openssl:
openssl pkcs12 -export -inkey client.key -in client.crt -out etest.p12 -name "etest_client"
-
- Replace etest_client with the desired 'friendlyName'.
-
Scenario 2: You don't have the original client certificate and key
- Extract the certificate and private key from the P12 file:
openssl pkcs12 -in etest.p12 -clcerts -nokeys -out client.crt
openssl pkcs12 -in etest.p12 -nocerts -out client.key -nodes- client.cert: Extracted certificate.
- client.key: Extracted private key.
- Regenerate a new P12 file with the correct flag:
openssl pkcs12 -export -inkey client.key -in client.crt -out etest.p12 -name "etest_client"
- Replace etest_client with the desired 'friendlyName'.
If you have additional questions, please submit a ticket.
Comments
0 comments
Please sign in to leave a comment.