[Vpn-help] certificates (p12)

Matthew Grooms mgrooms at shrew.net
Sun Sep 7 21:23:04 CDT 2008 

Rodrigo Ferroni wrote:
> 
> Hi Matthew,
> 
> We are using the release 2.1.1 stable on around 40 pc's with win/xp and 
> the server on debian (racoon with mode_cfg, auth. ldap and pki); we are 
> using also a few clients on ubuntu (our notebooks) and works great.
> I can tell you we had some issues installing but reading your post 
> (problems with client install or unistall) help us a lot, to understand 
> how the installation process work and solve the problems.
> 
> About one recently post related to reboot the machine, we do two things 
> to avoid this, one is like you post said, go to "Device Manager", select 
> "Show hidden devices" and sometimes you can see "Shrew Soft Virtual 
> Adapter" disable, you need to enable this. And the other thing that we 
> do is restart the "ike services" in the Trace Utility. I hope this help.
> 

Thanks for the input. I probably need to gather all this information and 
add it to the support wiki. Your information will be a welcome addition.

> My question is about the certificates, we are using the "Server 
> Certificate Autority File" with the file extension pem, the "Client 
> Cert. File": someone.crt and the "Client Private Key File": someone.key. 
> The CA is develop and mantein for as, we create the certificates and 
> also we create the p12 container with one "export password". So if you 
> replace the .crt and the .key with the p12 works fine, but every time 
> you click on "connect" the export passwd is asked. Is posible imput the 
> passwd only one time when you configure the VPN Site???
> 

Its possible but this would strip the file security added by the p12 
generation program. The Shrew Soft client does not currently provide 
configuration security of its own so its probably best if this was left 
in place for now. At some point in the near future, I would like to add 
support the Microsoft key storage facility so passwords would only be 
required once during import. The other enhancement I would like to add 
is support for a master configuration password that gets entered once 
and is used to encrypt local configuration data. These features are 
coming, its just taking longer than I had hoped. Sorry I don't have any 
more constructive suggestions at the moment.

Thanks again,

-Matthew

More information about the vpn-help mailing list