Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

While other browsers / OSes support PEM formatted SSL certificates for establishing Ipsec VPN authentication, IOS for Ipad and Iphone support pkcs12 certificate format.

Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

Step1: Generate SSL private key:

Code:

# openssl genrsa -aes128 -out private/iphone.key 1024

Step2: Create a CSR (Certificate Signing Request) using previous private key:

Code:

# openssl req -days 3650 -out iphone.csr -key private/iphone.key -new

Step3: Sign the CSR with your own private CA (if you have one) or send it to a public CA for signing (make sure you also get their public cert and import it in your VPN server otherwise you will have auth problems).

Code:

# openssl ca -verbose -days 3650 -in iphone.csr -out certs/iphone.pem -keyfile private/cakey.pem -cert cacert.pem -extfile x509ext.txt

In order for SSL certificates to be used in IPSEC VPN authentication, SubjectAltName x509 extension needs to be signed in the public certificate file. For this, the x509ext.txt file contents should look like below:

Code:

subjectAltName=email:someone@somedomain.com,DNS:vpn.somedomain.com,IP:XXX.XXX.XXX.XXX

The same is valid for the VPN concentrator certificates also as both parts will check the signing of PEM cert of the other party against it's public CA certificate

Also, all IPSEC vendors will look at subjectAltName in the certificate for FQDN, IP or user@FQDN identifiers sent by the other part, so make sure you don't miss this.

Step4: Now that we have private certificate, public and signed certificate, we can create the pkcs12 bundle that Iphone and Ipad accepts:

Code:

# openssl pkcs12 -export -out iphone.p12 -inkey private/iphone.key -in certs/iphone.pem -chain -CAfile cacert.pem

So the resulting iphone.p12 bundle will contain private key that the iphone will use to decrypt DH parameters, the public certificate that the Iphone will present to the Ipsec VPN server to authenticate and the CA public certificate that the Iphone will use to authenticate signing of the public certificate received from VPN server.

Obviously, OpenSSL will and should protect this iphone.p12 file with a strong password to avoid security concerns ( but if you are using ephemeral DH for key exchange in your Ipsec phase1 negotiation, then loss of private key will not be a big concern ).

Email the file to your self as an attachment, open the email with iphone and import it. The import password will be required as well as your Iphone/Ipad security key (if you h ave one in place). Once you import it, you can see more details on this certificate in Settings->General->Profiles->"Common NAME of certificate".

Now, when adding a VPN connection in the Iphone, the "Use Certificate" switch will not be grayed out any more and you can select the certificate using the CN.

That's it.