Using PKCS#12 file requires password for private key

Bug #780717 reported by Ralf Hildebrandt
106
This bug affects 20 people
Affects Status Importance Assigned to Milestone
network-manager-openvpn (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Binary package hint: network-manager-openvpn

network-manager-openvpn allows to specify PKCS#12 files instead of sep. files for CA, cert and key. That's wonderful.
There's one problem though: When specifying a *.p12 file, one HAS to enter a "Private key password" even if the PKCS#12 is not password protected at all.
When specifying sep. files for CA, cert and key, entering the "Private key password" is optional. Not when using the PKCS#12 file.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: network-manager-openvpn-gnome 0.8.1+git.20100810t173015.1711d04-0ubuntu2
ProcVersionSignature: Ubuntu 2.6.38-9.43-generic 2.6.38.4
Uname: Linux 2.6.38-9-generic x86_64
Architecture: amd64
Date: Tue May 10 21:48:08 2011
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Beta amd64 (20110413)
ProcEnviron:
 LANGUAGE=en_US:en
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: network-manager-openvpn
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :
Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :
Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
Revision history for this message
MvW (2nv2u) wrote :

Same problem here, exported a openvpn configuration from pfSense without a password, but I can't import the configuration in the network manager because of this.

Revision history for this message
Daniel Smith (connect404) wrote :

Ubuntu 11.10 (Gnome)
Using a pkcs#12 file from pfsense I entered a couple of random characters in the box (though the key file or server didn't require it) and I could save & connect fine.

Ubuntu 11.10 (XFCE)
Same as above but the gui prompts for the password when trying to connect to the vpn.

Revision history for this message
zmpeg (zmpeg) wrote :

Same thing on ubuntu 13.04, also from pfsense

Revision history for this message
Tim Mani (roshfall) wrote :

Xubuntu 12.04, also created using pfSense without password on private key. Unable to leave password field empty and save settings. Also does not work when entering characters into the field.

tags: added: precise
Revision history for this message
Peter Wright (peterwright1986-d) wrote :

Also on Xubuntu 12.04 and can confirm does not allow to connect unless private key password field is populated. Entering irrelevant characters does not work.

Revision history for this message
Bart Verwilst (verwilst) wrote :

Ubuntu 13.10, still present. Approaching 3rd year, not a single f*ck has been given.

Revision history for this message
zmpeg (zmpeg) wrote :

Xubuntu 14.04, now this causes a segfault instead of just preventing you to continue. Doesn't matter if you imporant a .ovpn file or manualy import the keys.

Apr 21 11:20:23 zmpeg-xps kernel: [ 110.930821] nm-connection-e[2433]: segfault at 14a77e0 ip 00000000014a77e0 sp 00007fff2e3f2e18 error 15

Revision history for this message
Bart Verwilst (verwilst) wrote :

Segfault confirmed, you can no longer import openvpn configs in 14.04

Revision history for this message
Russell Briggs (russell-briggs) wrote :

No segfault here on 14.04 (pfSense 2.1.4 with the OpenVPN Export Plugin), but exporting the config+certs ('Archive') from pfSense, you can't save the imported profile in network manager without entering a password for the pkcs12 file (which when exported from pfSense, doesn't have one!)

I've been able to get round this by exporting the user's Public + Private Keys, and the CA Cert individually from pfSense then selecting them individually in the network manager interface. Bit of a P.I.T.A though :(

Revision history for this message
Matthias Weiler (matthias-weiler) wrote :

still true for xenial.

Revision history for this message
connstance (connstance) wrote :

Comrades, it is not a bug. If you are using pfsense you should define p12 password in Certificate Export Options. Just pick "Password Protect Certificate" and type password which you would like, save and reexport.

Revision history for this message
Hugo Lía (hugolia) wrote :

The solution sugested by connstance does not resolve the problem. In my case I am trying to access my customer VPN and I cannot password protect the certificate. In pfSense this is a global option, and if they change this they need to change all users vpn.

Revision history for this message
Suncatcher (suncatcher) wrote :

Confirm this too. Even on 17.04 the problem still exists.
I have no password on p12 certificate, but network-manager openvpn plugin still requires it.
Yes, the trick with random characters works, but this is dumb.

Revision history for this message
wistle (charl-wentzel) wrote :

Confirm the same problem on 16.04 LTS
The random characters do not work for me.
It's a customer's VPN so I cannot insist on changes being make to fit me. The configuration works fine when using he command line "openvpn --config xxxx.ovpn", but I would prefer to use Network Manager for the simplicity of it.

Revision history for this message
Andy Mason (amason-c) wrote :

Issue continues as of 18.10

I can enter a random character to get past it, but that wasn't intuitive.

Revision history for this message
Myles Wakeham (myles-s) wrote :

There is a work around for this, but it isn't as simple as it should be. I can confirm that in 18.04.2 LTS that you can't import the p12 cert into it. However if you manually extract out the crt, key and ca from the p12 file, you can select them manually for an openvpn for each file, and that does work. I used the following commands to do it, and this was successful on 18.04.2

Private Key
openssl pkcs12 -in client.p12 -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > client.key

Public Certificate
openssl pkcs12 -in client.p12 -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > client.cer

CA Certificate
openssl pkcs12 -in client.p12 -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > client-ca.cer

Just replace the "client" part of the lines above with your file. It is a pain that you have to do this, but it does work.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.