I uploaded into 9a slot private key with certificate signed by our enterprise CA without a problem via PIV manager: it is displayed in PIV manager correctly. W used to use this certificate for OpenVPN from disk, now I would like to used it from Yubikey Neo.
But truing to access it from OpenVPN gives me an issue:
Code:
c:\Program Files (x86)\Yubico\yubico-piv-tool\bin>openvpn --verb 7 --show-pkcs11-ids libykcs11-1.dll
Sat Mar 11 16:50:32 2017 us=492798 PKCS#11: Adding provider 'libykcs11-1.dll'-'libykcs11-1.dll'
Sat Mar 11 16:50:32 2017 us=531292 PKCS#11: Provider 'libykcs11-1.dll' added rv=0-'CKR_OK'
Sat Mar 11 16:50:32 2017 us=531792 PKCS#11: Creating a new session
Sat Mar 11 16:50:32 2017 us=532794 PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'
Sat Mar 11 16:50:32 2017 us=991522 PKCS#11: Cannot get object attribute for provider 'Yubico (www.yubico.com)' object 37 rv=6-'CKR_FUNCTION_FAILED'
The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Sat Mar 11 16:50:32 2017 us=992524 PKCS#11: Terminating openssl
Sat Mar 11 16:50:32 2017 us=992524 PKCS#11: Removing providers
Sat Mar 11 16:50:32 2017 us=992524 PKCS#11: Removing provider 'libykcs11-1.dll'
Sat Mar 11 16:50:33 2017 us=470 PKCS#11: Releasing sessions
Sat Mar 11 16:50:33 2017 us=470 PKCS#11: Terminating slotevent
Sat Mar 11 16:50:33 2017 us=470 PKCS#11: Marking as uninitialized
c:\Program Files (x86)\Yubico\yubico-piv-tool\bin>openssl
7688:error:02001005:system library:fopen:Input/output error:bss_file.c:175:fopen('C:\PHP\extras\ssl','rb')
7688:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:184:
7688:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:197:
Certificate generated by PIV manager is displayed and accessed by OpenVPN without any issue:
Code:
c:\Program Files (x86)\Yubico\yubico-piv-tool\bin>openvpn --verb 7 --show-pkcs11-ids libykcs11-1.dll
Sat Mar 11 16:14:52 2017 us=128736 PKCS#11: Adding provider 'libykcs11-1.dll'-'libykcs11-1.dll'
Sat Mar 11 16:14:52 2017 us=164557 PKCS#11: Provider 'libykcs11-1.dll' added rv=0-'CKR_OK'
Sat Mar 11 16:14:52 2017 us=164557 PKCS#11: Creating a new session
Sat Mar 11 16:14:52 2017 us=165557 PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'
The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Sat Mar 11 16:14:52 2017 us=495035 PKCS#11: Using cached session
Certificate
DN: CN=Test yubikey#1
Serial: AE4D23097B986B64
Serialized id: Yubico/YubiKey\x20NEO/1234/YubiKey\x20PIV/00
Sat Mar 11 16:14:52 2017 us=497416 PKCS#11: Terminating openssl
Sat Mar 11 16:14:52 2017 us=497416 PKCS#11: Removing providers
Sat Mar 11 16:14:52 2017 us=497416 PKCS#11: Removing provider 'libykcs11-1.dll'
Sat Mar 11 16:14:52 2017 us=505510 PKCS#11: Releasing sessions
Sat Mar 11 16:14:52 2017 us=506011 PKCS#11: Terminating slotevent
Sat Mar 11 16:14:52 2017 us=506011 PKCS#11: Marking as uninitialized
How can I import externaly generated SSL certificate to work with OpenVPN? I would be gratefull for any help.
I'm runing:
Code:
Windows 10 version 10.0.14393 64bit
Code:
openvpn --version
OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
library versions: OpenSSL 1.0.2k 26 Jan 2017, LZO 2.09
Windows version 6.2 (Windows 8 or greater) 64bit
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=no enable_plugin_down_root=no enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_special_build= with_sysroot=no
Code:
yubico-piv-tool.exe -V
yubico-piv-tool 1.4.2
Quote:
yubikey neo firmware 3.4.9
Statistics: Posted by qnox — Sat Mar 11, 2017 5:16 pm
]]>