Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Wed Aug 23, 2017 8:54 am


Author Message
mandrei99
Post  Post subject: Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs  |  Posted: Wed Apr 10, 2013 5:42 am

Joined: Tue Aug 04, 2009 9:16 am
Posts: 245

Offline
 

Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

While other browsers / OSes support PEM formatted SSL certificates for establishing Ipsec VPN authentication, IOS for Ipad and Iphone support pkcs12 certificate format.


Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

Step1: Generate SSL private key:
Code:
# openssl genrsa -aes128 -out private/iphone.key 1024


Step2: Create a CSR (Certificate Signing Request) using previous private key:
Code:
# openssl req -days 3650 -out iphone.csr -key private/iphone.key -new


Step3: Sign the CSR with your own private CA (if you have one) or send it to a public CA for signing (make sure you also get their public cert and import it in your VPN server otherwise you will have auth problems).
Code:
# openssl ca -verbose -days 3650 -in iphone.csr -out certs/iphone.pem -keyfile private/cakey.pem -cert cacert.pem -extfile x509ext.txt


In order for SSL certificates to be used in IPSEC VPN authentication, SubjectAltName x509 extension needs to be signed in the public certificate file. For this, the x509ext.txt file contents should look like below:
Code:
subjectAltName=email:someone@somedomain.com,DNS:vpn.somedomain.com,IP:XXX.XXX.XXX.XXX

The same is valid for the VPN concentrator certificates also as both parts will check the signing of PEM cert of the other party against it's public CA certificate

Also, all IPSEC vendors will look at subjectAltName in the certificate for FQDN, IP or user@FQDN identifiers sent by the other part, so make sure you don't miss this.

Step4: Now that we have private certificate, public and signed certificate, we can create the pkcs12 bundle that Iphone and Ipad accepts:
Code:
# openssl pkcs12 -export -out iphone.p12 -inkey private/iphone.key -in certs/iphone.pem -chain -CAfile cacert.pem

So the resulting iphone.p12 bundle will contain private key that the iphone will use to decrypt DH parameters, the public certificate that the Iphone will present to the Ipsec VPN server to authenticate and the CA public certificate that the Iphone will use to authenticate signing of the public certificate received from VPN server.

Obviously, OpenSSL will and should protect this iphone.p12 file with a strong password to avoid security concerns ( but if you are using ephemeral DH for key exchange in your Ipsec phase1 negotiation, then loss of private key will not be a big concern ).

Email the file to your self as an attachment, open the email with iphone and import it. The import password will be required as well as your Iphone/Ipad security key (if you h ave one in place). Once you import it, you can see more details on this certificate in Settings->General->Profiles->"Common NAME of certificate".

Now, when adding a VPN connection in the Iphone, the "Use Certificate" switch will not be grayed out any more and you can select the certificate using the CN.

That's it.





Top
Display posts from previous:  Sort by  
E-mail friendPrint view

Topics related to - "Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs"
 Topics   Author   Replies   Views   Last post 
There are no new unread posts for this topic. OpenSSL CA signed certificates based Ipsec VPN between Two Juniper SRX devices

debuser

2

6590

Thu Jun 27, 2013 10:40 am

mandrei99 View the latest post

There are no new unread posts for this topic. Linux site to site GRE over IPSEC VPN tunnels using racoon & kame ipsec-tools

mandrei99

0

9898

Tue Jan 13, 2015 6:26 am

mandrei99 View the latest post

There are no new unread posts for this topic. error: Failed to encode the certificate request in PKCS-10 format - Juniper SRX PKI error

mandrei99

0

1014

Fri Dec 12, 2014 10:32 am

mandrei99 View the latest post

There are no new unread posts for this topic. PKI: How to import OpenSSL private key and public certificate in Juniper SRX

mandrei99

0

25716

Fri Dec 12, 2014 10:07 am

mandrei99 View the latest post

There are no new unread posts for this topic. Juniper SRX Hub-and-Spoke IPSEC VPN \w HUB behind NAT.

mandrei99

0

1233

Tue Oct 29, 2013 11:25 am

mandrei99 View the latest post

There are no new unread posts for this topic. Site2Site Ipsec/Dialup/ike v2

balzac123

0

589

Wed Sep 16, 2015 9:07 am

balzac123 View the latest post

There are no new unread posts for this topic. Juniper SRX MTU / MSS / Fragmentation problems with Ipsec vpn tunnel

debuser

2

16295

Mon Jul 08, 2013 5:54 am

Tears View the latest post

There are no new unread posts for this topic. Juniper SRX 11.4: Bypass IPSEC VPN IKE ID validation for "remote-identity"

mandrei99

0

1931

Thu Oct 31, 2013 5:00 am

mandrei99 View the latest post

There are no new unread posts for this topic. Attachment(s) Juniper SRX Spoke-to-Spoke IPSEC VPN \w spokes behind NAT.

mandrei99

0

1984

Tue Oct 29, 2013 9:22 am

mandrei99 View the latest post

 

Who is online
Users browsing this forum: No registered users and 0 guests
You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum
Jump to:  
News News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO