Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 12:43 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Sat Mar 11, 2017 5:16 pm 
Offline

Joined: Sat Mar 11, 2017 5:02 pm
Posts: 1
Hi!

I uploaded into 9a slot private key with certificate signed by our enterprise CA without a problem via PIV manager: it is displayed in PIV manager correctly. W used to use this certificate for OpenVPN from disk, now I would like to used it from Yubikey Neo.

But truing to access it from OpenVPN gives me an issue:
Code:
c:\Program Files (x86)\Yubico\yubico-piv-tool\bin>openvpn --verb 7 --show-pkcs11-ids libykcs11-1.dll
Sat Mar 11 16:50:32 2017 us=492798 PKCS#11: Adding provider 'libykcs11-1.dll'-'libykcs11-1.dll'
Sat Mar 11 16:50:32 2017 us=531292 PKCS#11: Provider 'libykcs11-1.dll' added rv=0-'CKR_OK'
Sat Mar 11 16:50:32 2017 us=531792 PKCS#11: Creating a new session
Sat Mar 11 16:50:32 2017 us=532794 PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'
Sat Mar 11 16:50:32 2017 us=991522 PKCS#11: Cannot get object attribute for provider 'Yubico (www.yubico.com)' object 37 rv=6-'CKR_FUNCTION_FAILED'

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Sat Mar 11 16:50:32 2017 us=992524 PKCS#11: Terminating openssl
Sat Mar 11 16:50:32 2017 us=992524 PKCS#11: Removing providers
Sat Mar 11 16:50:32 2017 us=992524 PKCS#11: Removing provider 'libykcs11-1.dll'
Sat Mar 11 16:50:33 2017 us=470 PKCS#11: Releasing sessions
Sat Mar 11 16:50:33 2017 us=470 PKCS#11: Terminating slotevent
Sat Mar 11 16:50:33 2017 us=470 PKCS#11: Marking as uninitialized

c:\Program Files (x86)\Yubico\yubico-piv-tool\bin>openssl
7688:error:02001005:system library:fopen:Input/output error:bss_file.c:175:fopen('C:\PHP\extras\ssl','rb')
7688:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:184:
7688:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:197:


Certificate generated by PIV manager is displayed and accessed by OpenVPN without any issue:

Code:
c:\Program Files (x86)\Yubico\yubico-piv-tool\bin>openvpn --verb 7 --show-pkcs11-ids libykcs11-1.dll
Sat Mar 11 16:14:52 2017 us=128736 PKCS#11: Adding provider 'libykcs11-1.dll'-'libykcs11-1.dll'
Sat Mar 11 16:14:52 2017 us=164557 PKCS#11: Provider 'libykcs11-1.dll' added rv=0-'CKR_OK'
Sat Mar 11 16:14:52 2017 us=164557 PKCS#11: Creating a new session
Sat Mar 11 16:14:52 2017 us=165557 PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.
Sat Mar 11 16:14:52 2017 us=495035 PKCS#11: Using cached session

Certificate
       DN:             CN=Test yubikey#1
       Serial:         AE4D23097B986B64
       Serialized id:  Yubico/YubiKey\x20NEO/1234/YubiKey\x20PIV/00
Sat Mar 11 16:14:52 2017 us=497416 PKCS#11: Terminating openssl
Sat Mar 11 16:14:52 2017 us=497416 PKCS#11: Removing providers
Sat Mar 11 16:14:52 2017 us=497416 PKCS#11: Removing provider 'libykcs11-1.dll'
Sat Mar 11 16:14:52 2017 us=505510 PKCS#11: Releasing sessions
Sat Mar 11 16:14:52 2017 us=506011 PKCS#11: Terminating slotevent
Sat Mar 11 16:14:52 2017 us=506011 PKCS#11: Marking as uninitialized


How can I import externaly generated SSL certificate to work with OpenVPN? I would be gratefull for any help.

I'm runing:

Code:
Windows 10 version 10.0.14393 64bit


Code:
openvpn --version
OpenVPN 2.4.0 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Jan 31 2017
library versions: OpenSSL 1.0.2k  26 Jan 2017, LZO 2.09
Windows version 6.2 (Windows 8 or greater) 64bit
Originally developed by James Yonan
Copyright (C) 2002-2017 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_async_push=no enable_comp_stub=no enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=needless enable_fragment=yes enable_iproute2=no enable_libtool_lock=yes enable_lz4=yes enable_lzo=yes enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=no enable_plugin_down_root=no enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=yes enable_small=no enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=no enable_werror=no enable_win32_dll=yes enable_x509_alt_username=no with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='$(libdir)/openvpn/plugins' with_special_build= with_sysroot=no


Code:
yubico-piv-tool.exe -V
yubico-piv-tool 1.4.2


Quote:
yubikey neo firmware 3.4.9


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group