In our use case. We are provided a p12 file.
We are testing om RHEL 8.
Where improvement could take place, my thoughts.

- instructions on how to extract the private key and the certs from
the p12(see below)
- offer openssl_tpm2_engine ibmtss(ibmtss-devel, libibmtss0) packages in epel 8
- build the openconnect epel package against ibmtss for TPMv2 support.

The steps I am using are as follows. Password etc have been removed.

PKCS="file.p12"
MY_P12_PASSWORD="MyPassw0rd!!"
TPM_LOCK_PASSWORD="MyPassw0rd!!"
VPN_SERVER="myserver.ibm.com"
#
openssl pkcs12 -in ${PKCS}  -nocerts -nodes -passin
pass:${MY_P12_PASSWORD} | openssl rsa -out private.pem
openssl pkcs12 -in ${PKCS} -clcerts -nokeys -chain -passin
pass:${MY_P12_PASSWORD} | sed -ne '/-BEGIN CERTIFICATE-/,/-END
CERTIFICATE-/p' > user_cert.crt
openssl pkcs12 -in ${PKCS} -cacerts -nokeys -chain -passin
pass:${MY_P12_PASSWORD} | sed -ne '/-BEGIN CERTIFICATE-/,/-END
CERTIFICATE-/p' > ca_cert.crt
#
create_tpm2_key -w private.pem private-key-tpm-wrapped.pem
#
sudo openconnect
--csd-wrapper=/usr/share/ibm-config-NetworkManager-openconnect/csd.sh
--sslkey=private-key-tpm-wrapped.pem --certificate=user_cert.crt
--cafile=ca_cert.crt https://${VPN_SERVER} -v


We are also using the following csd wrapper.

On Tue, Mar 3, 2020 at 8:29 AM David Woodhouse <dw...@infradead.org> wrote:
>
> On Mon, 2020-03-02 at 18:26 +0100, Grant Williamson wrote:
> > Thank you. Sorry I intended to reply sooner.
>
> That's good to know; thanks.
>
> Next question: Now you've worked it out, could the documentation be
> improved in any way? What was missing?
>
> Better still, what should be fixed in the code (or tools/helpers
> provided) so that we don't *have* to document it?
>

Attachment: csd.sh
Description: application/shellscript

_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel

Reply via email to