I've been able to successfully set up an IKEv2/IPSec VPN Server using certificate authentication. However, I have a general issue regarding the correct method of creating P12 user certificates.
I've been using the following method :
ipsec pki --gen --outform pem > test.client.pem
ipsec pki --pub --in test.client.pem | ipsec pki --issue --cacert cacerts/ca.cert.pem --cakey private/ca.pem --dn "C=UK, O=Test Organisation, CN=Test User" --outform pem > certs/test.client.cert.pem
openssl pkcs12 -export -inkey test.client.pem -in certs/test.client.cert.pem -name "Test User" -certfile cacerts/ca.cert.pem -caname "Test User VPN Certificate" -out p12/test.client.cert.p12
When I insert test.client.cert.p12 into my Android device, the certificate works. However, when I try to either view the certificate in Linux, it says the file is corrupted. Thus : Viewing P12 Certificate
Also, when I try to add the P12 Certificate to the Keystore Access app on an Apple Mac, it does not recognise the password assigned to the certificate.
However, (and this is where it gets interesting), when I import test.client.cert.p12 into my Brave browser, after prompting for the password, it allows the certificate to be added. Here is an example : Imported certificate into Brave
Then, when I export the certificate file back out to a file (nominating and confirming a password), the new P12 certificate works in all instances. Thus :Working P12 Certificate
Which brings me back to the code : What am I missing in the above code that is causing the P12 client certificate to become unreadable (except for Android)? I don't want to have to go through the process of importing and exporting the P12 certificate via my browser each time I have to generate a new certificate.
