Looking for more info on new System Identity feature

Got a problem with Viscosity or need help? Ask here!

lravelo

Posts: 3
Joined: Wed Nov 30, 2022 9:03 am

Post by lravelo » Wed Nov 30, 2022 9:23 am
I'm been looking for documentation on the new authentication feature that leverages the MacOS keychain but it seems it has not been updated so I figured I'd ask here. I'm looking for a way to use a certificate issued by a Microsoft CA as a user cert to authenticate against our OpenVPN servers. I know the native OpenVPN client for Windows supports using cryptoapicert in the client config file in order to specify either a cert thumbprint or subject of a cert within the Windows cert store. From what I understand, this new feature is the Mac equivalent (please correct me if I'm wrong). I've been trying to set this up but not sure how to go about doing this. There are no options in the System Identity --> ID. I do have my user cert imported into the keychain along with the CA cert that issued it. Starting to think more and more that what is required is a computer cert and not a user cert. Would appreciate it if someone could clarify. Thank you in advance.

James

User avatar
Posts: 2312
Joined: Thu Sep 04, 2008 9:27 pm

Post by James » Wed Nov 30, 2022 2:09 pm
Hi lravelo,

You need both the certificate and corresponding private key loaded into the Keychain for it to be recognised by macOS as an identity. If you only load the certificate it cannot be used for authentication and Viscosity will not list it as an available identity.

If you've done this, but it's still not appearing, try using the latest beta version, which improves support for finding additional certificates and tokens:
https://www.sparklabs.com/support/kb/ar ... -versions/

If you want to use the feature in a similar fashion to the cryptoapicert command on Windows, you can set the Retrieval option to "Use any identity that matches", and enter a Match DN. For example, to match on the certificate's name you could enter something like "CN=My Certificate Name".

You mention "certificate issued by a Microsoft CA": please be sure you understand the security measures put in place for this and that you're not inadvertently making your VPN setup insecure. For example, you need to ensure that the appropriate CA certificate is being used for verification, and keep in mind that by default OpenVPN will not enforce that the remote client/server's certificate matches the CN or SAN presented.

Cheers,
James
Web: https://www.sparklabs.com
Support: https://www.sparklabs.com/support
Twitter: https://twitter.com/sparklabs

lravelo

Posts: 3
Joined: Wed Nov 30, 2022 9:03 am

Post by lravelo » Thu Dec 01, 2022 12:49 am
Hi James,

Thanks for the feedback. I do have the corresponding private key for the cert imported into my login keychain. I imported it as a pfx. Both the user cert and the CA cert in the keychain are marked as trusted. I will try the beta version and will report back later. Thanks.

lravelo

Posts: 3
Joined: Wed Nov 30, 2022 9:03 am

Post by lravelo » Thu Dec 01, 2022 1:13 am
Seems like the upgrade to 1.10.5b8 (1618) did the trick. I was able to click on the plus sign and it found my cert. Thanks for the help!
4 posts Page 1 of 1