Skip to content
Looking for more info on new System Identity feature
Got a problem with Viscosity or need help? Ask here!
I'm been looking for documentation on the new authentication feature that leverages the MacOS keychain but it seems it has not been updated so I figured I'd ask here. I'm looking for a way to use a certificate issued by a Microsoft CA as a user cert to authenticate against our OpenVPN servers. I know the native OpenVPN client for Windows supports using cryptoapicert in the client config file in order to specify either a cert thumbprint or subject of a cert within the Windows cert store. From what I understand, this new feature is the Mac equivalent (please correct me if I'm wrong). I've been trying to set this up but not sure how to go about doing this. There are no options in the System Identity --> ID. I do have my user cert imported into the keychain along with the CA cert that issued it. Starting to think more and more that what is required is a computer cert and not a user cert. Would appreciate it if someone could clarify. Thank you in advance.
Hi lravelo,
You need both the certificate and corresponding private key loaded into the Keychain for it to be recognised by macOS as an identity. If you only load the certificate it cannot be used for authentication and Viscosity will not list it as an available identity.
If you've done this, but it's still not appearing, try using the latest beta version, which improves support for finding additional certificates and tokens:
https://www.sparklabs.com/support/kb/ar ... -versions/
If you want to use the feature in a similar fashion to the cryptoapicert command on Windows, you can set the Retrieval option to "Use any identity that matches", and enter a Match DN. For example, to match on the certificate's name you could enter something like "CN=My Certificate Name".
You mention "certificate issued by a Microsoft CA": please be sure you understand the security measures put in place for this and that you're not inadvertently making your VPN setup insecure. For example, you need to ensure that the appropriate CA certificate is being used for verification, and keep in mind that by default OpenVPN will not enforce that the remote client/server's certificate matches the CN or SAN presented.
Cheers,
James
You need both the certificate and corresponding private key loaded into the Keychain for it to be recognised by macOS as an identity. If you only load the certificate it cannot be used for authentication and Viscosity will not list it as an available identity.
If you've done this, but it's still not appearing, try using the latest beta version, which improves support for finding additional certificates and tokens:
https://www.sparklabs.com/support/kb/ar ... -versions/
If you want to use the feature in a similar fashion to the cryptoapicert command on Windows, you can set the Retrieval option to "Use any identity that matches", and enter a Match DN. For example, to match on the certificate's name you could enter something like "CN=My Certificate Name".
You mention "certificate issued by a Microsoft CA": please be sure you understand the security measures put in place for this and that you're not inadvertently making your VPN setup insecure. For example, you need to ensure that the appropriate CA certificate is being used for verification, and keep in mind that by default OpenVPN will not enforce that the remote client/server's certificate matches the CN or SAN presented.
Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs
Hi James,
Thanks for the feedback. I do have the corresponding private key for the cert imported into my login keychain. I imported it as a pfx. Both the user cert and the CA cert in the keychain are marked as trusted. I will try the beta version and will report back later. Thanks.
Thanks for the feedback. I do have the corresponding private key for the cert imported into my login keychain. I imported it as a pfx. Both the user cert and the CA cert in the keychain are marked as trusted. I will try the beta version and will report back later. Thanks.
4 posts
Page 1 of 1