AnyConnect VPN Content Linux ocserv OpenConnect VPN Ubuntu Ubuntu Server

How to Set up Certificate Authentication in OpenConnect VPN Server (ocserv)

ocserv certificate authentication

This tutorial might be displaying you ways to set up certificates authentication in OpenConnect VPN server (ocserv) on Ubuntu. OpenConnect (ocserv) is an open-source implementation of the Cisco AnyConnect VPN protocol.

In a earlier article, I defined the steps to set up OpenConnect VPN server with Let’s Encrypt TLS server certificates. Let’s Encrypt doesn’t challenge shopper certificates, so in that article, we used password authentication. Getting into username and password each time could be a problem, particularly if the shopper software program, such because the Cisco AnyConnect app on iOS, doesn’t supply an choice to keep in mind password. Many OpenConnect shopper software program can import consumer certificates, which can free the consumer from getting into username and password. Certificate authentication can also be safer than password authentication.


To comply with this tutorial, it’s assumed that you’ve already set up an OpenConnect VPN server with Let’s Encrypt TLS server certificates. We’ll set up our personal CA (Certificate Authority) to signal shopper certificates. The ocserv daemon ought to proceed utilizing the TLS server certificates issued by Let’s Encrypt, so shopper software program gained’t show safety warning.

Setting up Your Personal CA (Certificate Authority)

We would like to use certificates authentication, however Let’s Encrypt doesn’t situation shopper certificates, so we’d like to create our personal CA. You’ll be able to openssl to do the job, however ocserv recommends GnuTLS, so I’ll present you ways to use GnuTLS. Set up gnutls-bin package deal.

sudo apt set up gnutls-bin

Create a sub-directory in /and so forth/ocserv/ to maintain personal keys and certificates.

sudo mkdir /and so on/ocserv/ssl/

Change your working listing.

cd /and so on/ocserv/ssl/

Generate a personal key for the CA with the certtool command, which is offered by the gnutls-bin package deal. By default, it generates a 3072 bit RSA key, which is adequate.

sudo certtool –generate-privkey –outfile ca-privkey.pem

Earlier than producing the CA certificates, let’s create the CA certificates template file. The template file format might be discovered in certtool guide (man certtool).

sudo nano ca-cert.cfg

Add the next strains to the file. Exchange placeholders with the suitable values.

# X.509 Certificate choices

# The group of the topic.
group = “Example Org”

# The widespread identify of the certificates proprietor.
cn = “Example CA”

# The serial variety of the certificates.
serial = 001

# In what number of days, counting from at present, this certificates will expire. Use -1 if there isn’t a expiration date.
expiration_days = -1

# Whether or not this can be a CA certificates or not

# Whether or not this certificates can be used to signal knowledge

# Whether or not this key can be used to signal different certificates.

# Whether or not this key will probably be used to signal CRLs.

Save and shut the file. Now generate the CA certificates utilizing configurations from the template file.

sudo certtool –generate-self-signed –load-privkey ca-privkey.pem –template ca-cert.cfg –outfile ca-cert.pem

Now we have now a CA certificates file (ca-cert.pem).

Producing Shopper Certificate

Now run the next command to generate shopper personal key.

sudo certtool –generate-privkey –outfile client-privkey.pem

Create the shopper certificates template file.

sudo nano client-cert.cfg

Add the next strains into the file. The uid have to be a username in the /and so on/ocserv/ocpasswd file.

# X.509 Certificate choices
# The group of the topic.
group = “My Org”

# The widespread identify of the certificates proprietor.
cn = “John Doe”

# A consumer id of the certificates proprietor.
uid = “username”

# In what number of days, counting from as we speak, this certificates will expire. Use -1 if there isn’t any expiration date.
expiration_days = 3650

# Whether or not this certificates might be used for a TLS server

# Whether or not this certificates shall be used to signal knowledge

# Whether or not this certificates can be used to encrypt knowledge (wanted
# in TLS RSA ciphersuites). Notice that it’s most popular to use totally different
# keys for encryption and signing.

Save and shut the file. Then run the next command to generate shopper certificates, which can be signed by the CA personal key.

sudo certtool –generate-certificate –load-privkey client-privkey.pem –load-ca-certificate ca-cert.pem –load-ca-privkey ca-privkey.pem –template client-cert.cfg –outfile client-cert.pem

Mix the shopper personal key and certificates in a PKCS #12 file that’s protected by a PIN.

sudo certtool –to-p12 –load-privkey client-privkey.pem –load-certificate client-cert.pem –pkcs-cipher aes-256 –outfile shopper.p12 –outder

ocserv certificate authentication

Notice that the Ciso AnyConnect app on iOS doesn’t help AES-256 cipher, so if the consumer is utilizing iOS gadget, then you should use the 3des-pkcs12cipher.

sudo certtool –to-p12 –load-privkey client-privkey.pem –load-certificate client-cert.pem –pkcs-cipher 3des-pkcs12 –outfile shopper.p12 –outder

Now we’ve the shopper personal key and certificates mixed into one file shopper.p12.

Certificate Signing Request

So as to hold finish customers’ personal keys secret, customers can generate certificates signing request (CSR) with their very own personal keys, then ship certificates requests to admin, who then points shopper certificates to customers. First, they’ve to generate personal key and the shopper certificates template utilizing the instructions talked about above. Then generate a CSR with the next command. The request.pem file is signed by consumer’s personal key.

certtool –generate-request –load-privkey client-privkey.pem –template client-cert.cfg –outfile request.pem

Subsequent, the consumer sends the request.pem and client-cert.cfg file to admin, who runs the next command to generate shopper certificates.

sudo certtool –generate-certificate –load-ca-certificate ca-cert.pem –load-ca-privkey ca-privkey.pem –load-request request.pem –template client-cert.cfg –outfile client-cert.pem

After that, the admin sends client-cert.pem certificates file to the consumer.

Enabling Certificate Authentication in ocserv Daemon

Edit ocserv configuration file.

sudo nano /and so on/ocserv/ocserv.conf

To allow certificates authentication, uncomment the next line.

auth = “certificate”

If the next line can also be uncommented, meaning the consumer should additionally enter username and password. So if certificates authentication is sufficient to show id, then remark out the next line.

auth = “plain[passwd=/etc/ocserv/ocpasswd]”

In case you permit customers to selected both certificates authentication or password authentication, then add the next line.

enable-auth = “plain[passwd=/etc/ocserv/ocpasswd]”

Now discover the next line.

ca-cert = /and so on/ssl/certs/ssl-cert-snakeoil.pem

We’d like to use our personal CA certificates to confirm shopper certificates, so change this line to

ca-cert = /and so forth/ocserv/ssl/ca-cert.pem

Subsequent, discover the next line.

cert-user-oid = zero.9.2342.19200300.100.1.1

You don’t want to change it. I simply need to inform you that zero.9.2342.19200300.100.1.1 represents the UID filed in shopper certificates. The above line tells ocserv daemon to discover the username from the UID area of shopper certificates. If the shopper certificates is efficiently verified by the CA certificates and ocserv daemon can discover a matching username in /and so on/ocserv/ocpasswd file, then the shopper can login.

Save and shut the file. Then restart ocserv.

sudo systemctl restart ocserv

Utilizing Certificate Authentication on Ubuntu Desktop

Use the scp command to obtain the shopper.p12 file to your Ubuntu desktop.

scp [email protected]:/and so on/ocserv/ssl/shopper.p12 ~

Then set up the openconnect shopper software program.

sudo apt set up openconnect

To make use of certificates authentication, run

sudo openconnect -b -c shopper.p12

You may be requested to unlock shopper personal key with the password.

ocserv client certificate ubuntu

If the password is entered appropriately, you must now be related to VPN server.

Utilizing Certificate Authentication on Home windows and MacOS Desktop

Obtain OpenConnect GUI shopper for Window or MacOS from OpenConnect GUI Github Web page. Then create a brand new VPN connection profile and import the PKCS #12 file to consumer certificates area. Click on the Save button. You’ll need to enter the PIN to unlock the personal key. As soon as imported, you don’t have to enter username and password anymore.

openconnect GUI client certificate authentication

Utilizing Certificate Authentication on iOS Gadget

iOS customers can use the Cisco AnyConnect app. To import shopper certificates in AnyConnect app, you possibly can first ship the PKCS #12 file to your e-mail tackle in an attachment. Then open the mail app on iOS. Faucet the attachment a number of seconds and share it with AnyConnect. Then enter the PIN to import the file.

ios anyconenct import client certificate

As soon as it’s imported, edit your VPN connection in AnyConnect. Go to Superior -> Certificate and choose the shopper certificates. Save your settings.

ios anyconnect client certificate authentication

Now you don’t have to enter username and password anymore in your iOS system. The Cisco AnyConnect app doesn’t keep in mind username and password, so in password authentication mode, VPN connection will drop when the telephone is just not in use. In certificates authentication mode, the app will routinely reconnect to VPN server if connection is dropped.

I hope this tutorial helped you set up certificates authentication in OpenConnect VPN server. As all the time, in the event you discovered this submit helpful, then subscribe to our free publication to get extra ideas and tips. Take care ?

Price this tutorial

[Total: 6 Average: 4.5]

(perform(d, s, id)
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); = id;
js.src = “//”;
fjs.parentNode.insertBefore(js, fjs);
(doc, ‘script’, ‘facebook-jssdk’));