Hi Derek, >> Does Windows require the complete chain for the client >> certificate? > > If you deliberately delete the CA certificate of the client > certificate on Windows, then when you try to connect, you will get an > error message in red, "Invalid certificate type." This is an > "all-purpose" error message Windows gives when it does not like > something about your certificates. If you look in Windows Event > Viewer, you will see an error from source RasClient saying, "The error > code returned on failure is 13819." Again, this is an "all-purpose" > error code for certificates.
Interesting, so I guess if you can't use PKCS#12 files with the complete chain (because Windows doesn't import the CA certs correctly and it's not possible to correct this programmaticall), you might have to be prepared to parse two keys in case the CA certificates are not the same. local.ca for the CA certificate of the client certificate and remote.cert (to be compatible with our format) for the CA certificate required to verify the server certificate. If they are the same, only one of these has to be specified (ideally remote.cert so the same file could be used for Android as well). Regards, Tobias
