Linux, FreeBSD, Juniper, Cisco / Network security articles and troubleshooting guides

FAQ
It is currently Sun Feb 05, 2023 11:08 pm


Username:
Subject:
Message body:
Enter your message here, it may contain no more than 60000 characters. 

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:
Font size:
 
Font colour
Options:
BBCode is ON
[img] is ON
[flash] is OFF
[url] is ON
Smilies are ON
Disable BBCode
Disable smilies
Do not automatically parse URLs
Confirmation code
Confirmation code:
In an effort to prevent automatic submissions, we require that you enter both of the words displayed into the text field underneath.
     

Topic review - Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs
Author Message
Post subject: Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs  |  Post Posted: Wed Apr 10, 2013 5:42 am
While other browsers / OSes support PEM formatted SSL certificates for establishing Ipsec VPN authentication, IOS for Ipad and Iphone support pkcs12 certificate format.


Iphone/Ipad Ipsec VPNs using SSL certificates - How to use OpenSSL to generate and format certs

Step1: Generate SSL private key:
Code:
# openssl genrsa -aes128 -out private/iphone.key 1024


Step2: Create a CSR (Certificate Signing Request) using previous private key:
Code:
# openssl req -days 3650 -out iphone.csr -key private/iphone.key -new


Step3: Sign the CSR with your own private CA (if you have one) or send it to a public CA for signing (make sure you also get their public cert and import it in your VPN server otherwise you will have auth problems).
Code:
# openssl ca -verbose -days 3650 -in iphone.csr -out certs/iphone.pem -keyfile private/cakey.pem -cert cacert.pem -extfile x509ext.txt


In order for SSL certificates to be used in IPSEC VPN authentication, SubjectAltName x509 extension needs to be signed in the public certificate file. For this, the x509ext.txt file contents should look like below:
Code:
subjectAltName=email:someone@somedomain.com,DNS:vpn.somedomain.com,IP:XXX.XXX.XXX.XXX

The same is valid for the VPN concentrator certificates also as both parts will check the signing of PEM cert of the other party against it's public CA certificate

Also, all IPSEC vendors will look at subjectAltName in the certificate for FQDN, IP or user@FQDN identifiers sent by the other part, so make sure you don't miss this.

Step4: Now that we have private certificate, public and signed certificate, we can create the pkcs12 bundle that Iphone and Ipad accepts:
Code:
# openssl pkcs12 -export -out iphone.p12 -inkey private/iphone.key -in certs/iphone.pem -chain -CAfile cacert.pem

So the resulting iphone.p12 bundle will contain private key that the iphone will use to decrypt DH parameters, the public certificate that the Iphone will present to the Ipsec VPN server to authenticate and the CA public certificate that the Iphone will use to authenticate signing of the public certificate received from VPN server.

Obviously, OpenSSL will and should protect this iphone.p12 file with a strong password to avoid security concerns ( but if you are using ephemeral DH for key exchange in your Ipsec phase1 negotiation, then loss of private key will not be a big concern ).

Email the file to your self as an attachment, open the email with iphone and import it. The import password will be required as well as your Iphone/Ipad security key (if you h ave one in place). Once you import it, you can see more details on this certificate in Settings->General->Profiles->"Common NAME of certificate".

Now, when adding a VPN connection in the Iphone, the "Use Certificate" switch will not be grayed out any more and you can select the certificate using the CN.

That's it.
Jump to:  
cronNews News Site map Site map SitemapIndex SitemapIndex RSS Feed RSS Feed Channel list Channel list


Delete all board cookies | The team | All times are UTC - 5 hours [ DST ]



phpBB SEO