Ok so I have a signed cert on a smartcard and I have the following issues
while trying to use it with openvpn on a windows machine. The openvpn
version I am using is the latest release candidate available for download
from the website:
1) Open vpn wont let me set the providers in the command line
openvpn --pkcs11-providers eTpkcs11.dll
returns the error:
Options error: You must define the TUN/TAP device <--dev>
Use --help for more information
2)In my config file I am using dev tun and that seems to make the above work
but in the command line tool it asks for some ipconfig stuff. But now the
stuff on the smartcard is this:
*************************************************
C:\PKI\WC\NSIS>openvpn --show-pkcs11-objects eTpkcs11.dll 0
PIN:
Token Information:
label: eToken
manufacturerID: Aladdin Knowledge Systems Ltd.
model: eToken CardOS/M4
serialNumber: 46fbd014
flags: 0000000d
You can access this token using
--pkcs11-slot-type "label" --pkcs11-slot "eToken" options.
The following objects are available for use with this token.
Each object shown below may be used as a parameter to
--pkcs11-id-type and --pkcs11-id options.
Object
Type: Private Key
CKA_ID:
06
CKA_LABEL: Default
CKA_SIGN: TRUE
CKA_SIGN_RECOVER: TRUE
Object
Type: Certificate
CKA_ID:
06
CKA_LABEL:
subject: /CN=Hisham
Aziz/OU=CNS/O=UTORCertAuth/L=TO/ST=ON
/C=CA
serialNumber: 0F
notBefore: 070510134745Z
***********************************
SO my client config file is such:
;pull
client
dev tun
proto udp
remote 128.100.103.211
port 1194
resolv-retry infinite
nobind
;persist-key
;persist-tun
;ns-cert-type server
;comp-lzo
verb 3
ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
;key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\client1.key"
pkcs11-providers "C:\\PKI\\WC\\NSIS\\eTpkcs11.dll"
pkcs11-slot-type id
pkcs11-slot 06
pkcs11-id-type subject
pkcs11-id "/CN=Hisham Aziz/OU=CNS/O=UTORCertAuth/L=TO/ST=ON/C=CA"
************************************************************
WHen this is run with open vpn i get:
C:\Program Files\OpenVPN\sample-config>openvpn e-client.ovpn
Thu May 17 13:30:03 2007 OpenVPN 2.1_rc4 Win32-MinGW [SSL] [LZO2] built on
Apr 2
5 2007
Thu May 17 13:30:03 2007 PKCS#11: Adding PKCS#11 provider
'C:\PKI\WC\NSIS\eTpkcs
11.dll'
Thu May 17 13:30:03 2007 WARNING: No server certificate verification method
has
been enabled. See http://openvpn.net/howto.html#mitm for more info.
NEED-OK|token-insertion-request|Please insert SLOT(id=06) token:0
Thu May 17 13:30:05 2007 PKCS#11: Cannot set parameters 1-'CKR_CANCEL'
Thu May 17 13:30:05 2007 Cannot load certificate "subject:/CN=Hisham
Aziz/OU=CNS
/O=UTORCertAuth/L=TO/ST=ON/C=CA" from slot "id:06" using PKCS#11 interface
Thu May 17 13:30:05 2007 Error: private key password verification failed
Thu May 17 13:30:05 2007 Exiting
C:\Program Files\OpenVPN\sample-config>
*************************
I dont understand what is wrong here HELP
_________________________________________________________________
Windows Live Hotmail with drag and drop, you can easily move and organize
your mail in one simple step. Get it today!
www.newhotmail.ca?icid=WLHMENCA153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
