1. DigiAngel's Avatar
    Topic says it...I am stuck with cert based VPN....the Client Certificate dropdown is blank, even though I've imported the cert. Any help with this? At a stand still until I get this to go...on 10.3.0.908...thank you.
    02-26-15 01:54 PM
  2. BCITMike's Avatar
    I'm on latest and imported my cert fine. You're sure the import is happening error free?

    Posted via CB10
    02-26-15 02:33 PM
  3. BCITMike's Avatar
    Do you show all the root certs if you select "all" view?

    Posted via CB10
    02-26-15 02:34 PM
  4. DigiAngel's Avatar
    Yep...cert is there under all...but in the VPN setup screen it doesn't show up. I saw a few threads like this on the official bb site in reference to BES and what not....alas there were no answers to the questions Thanks for the quick response.
    02-26-15 02:57 PM
  5. BCITMike's Avatar
    Yep...cert is there under all...but in the VPN setup screen it doesn't show up. I saw a few threads like this on the official bb site in reference to BES and what not....alas there were no answers to the questions Thanks for the quick response.
    If it appears under "All" but not under "My Certificates", are you sure the cert is made properly? ie, its the server root cert and not the client cert?

    Will you be updating to 1581 build anytime soon? There were some VPN issues in earlier 10.3.1 builds (I know my PSK based VPN didn't work), I forget about 10.3.0 builds. I don't know if there could have been certificate bugs in that version as well.
    Last edited by BCITMike; 02-26-15 at 03:54 PM.
    02-26-15 03:43 PM
  6. DigiAngel's Avatar
    I just updated to that today...same issue alas...my Client Certificate dropdown is blank. I'm using the same certs I use to connect as a client from a Linuxbox and it works just fine so eh...guess I'll chalk it up to 10.3
    02-26-15 05:50 PM
  7. BCITMike's Avatar
    I just updated to that today...same issue alas...my Client Certificate dropdown is blank. I'm using the same certs I use to connect as a client from a Linuxbox and it works just fine so eh...guess I'll chalk it up to 10.3
    I wouldn't assume so. VPN/certs stuff should get major testing before official release and I don't think this would have slipped through.

    Did you generate the cert yourself, or someone gave it to you? Did they give you the root CA cert and the client cert? What format is it in? I converted mine to .p12 format so it had all the keys embedded in it.

    This was my guide ("Construct the .p12:" section):
    https://raymii.org/s/tutorials/IPSEC..._CentOS_7.html
    Last edited by BCITMike; 02-27-15 at 12:39 AM.
    02-26-15 06:54 PM
  8. DigiAngel's Avatar
    I did these myself using ipsec pki Per:

    https://github.com/strongswan/strongswan look for the "Roadwarrior case with virtual IP" section.

    these are all .pem files. Of interest I noticed that as a client machine (laptop) I needed, per the example above:

    /etc/ipsec.d/cacerts/strongswanCert.pem
    /etc/ipsec.d/certs/carolCert.pem
    /etc/ipsec.secrets:
    : RSA carolKey.pem "<optional passphrase>"


    I was not able to import the key file however. I'll give converting the pem files to p12 tomorrow...thanks a bunch for the help.
    02-26-15 07:25 PM
  9. gawd0wns's Avatar
    I had the same problem after my device was updated to 10.3.1. I got it working, though I'm not sure what caused the problem. I added some new fields which I had not used before ("--flag clientAuth" when generating the client certs, '-name', and '-caname when creating the .pfx file), so I think these are now mandatory. This is how I got it working, using the strongswan pki tool and openssl(last step for the pfx file):

    Generate a Certificate authority

    ipsec pki --gen --outform pem > caKey.pem

    ipsec pki --self --in caKey.pem --dn "C=CA, O=none, CN=Cert-Auth" --san="Cert-Auth" --ca --outform pem > caCert.pem


    Generate a server certificate:

    ipsec pki --gen --outform pem > serverKey.pem

    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=yourdomain-dot-com" --san="yourdomain-dot-com" --flag serverAuth --outform pem > serverCert.pem


    Generate your client certificates:

    ipsec pki --gen --outform pem > userKey.pem

    ipsec pki --pub --in userKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=device-name" --san "device-name@yourdomain-dot-com" --flag clientAuth --outform pem > userCert.pem


    Generate .pfx file to import

    openssl pkcs12 -export -inkey userKey.pem -in userCert.pem -name "device-name" -certfile caCert.pem -caname "Cert-Auth" -out bb-certs.pfx


    Import the certificates on to your device (Copied from the 10.3.1 manual)

    1. Tap Settings > About.
    2. In the Category drop-down list, tap Network.
    3. In the Wi-Fi or USB section, make note of the IPv4 address.
    4. On your computer, navigate to and copy a certificate file:
    (a) If your computer uses a Windows operating system, in a Run command, type the IP address in the following format: \\xxx.xxx.xxx.xxx
    (b) If your computer uses a Windows operating system, open the media\downloads folder. If necessary, enter the username and storage access password
    5. Paste the certificate into the media\downloads or media/downloads folder.
    6. On your device, tap > Security and Privacy > Certificates > Import
    7. Follow the instructions on the screen
    02-26-15 09:18 PM
  10. BCITMike's Avatar
    I had the same problem after my device was updated to 10.3.1. I got it working, though I'm not sure what caused the problem. I added some new fields which I had not used before ("--flag clientAuth" when generating the client certs, '-name', and '-caname when creating the .pfx file), so I think these are now mandatory. This is how I got it working, using the strongswan pki tool and openssl(last step for the pfx file):

    Generate a Certificate authority

    ipsec pki --gen --outform pem > caKey.pem

    ipsec pki --self --in caKey.pem --dn "C=CA, O=none, CN=Cert-Auth" --san="Cert-Auth" --ca --outform pem > caCert.pem


    Generate a server certificate:

    ipsec pki --gen --outform pem > serverKey.pem

    ipsec pki --pub --in serverKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=yourdomain-dot-com" --san="yourdomain-dot-com" --flag serverAuth --outform pem > serverCert.pem


    Generate your client certificates:

    ipsec pki --gen --outform pem > userKey.pem

    ipsec pki --pub --in userKey.pem | ipsec pki --issue --cacert caCert.pem --cakey caKey.pem --dn "C=CA, O=none, CN=device-name" --san "device-name@yourdomain-dot-com" --flag clientAuth --outform pem > userCert.pem


    Generate .pfx file to import

    openssl pkcs12 -export -inkey userKey.pem -in userCert.pem -name "device-name" -certfile caCert.pem -caname "Cert-Auth" -out bb-certs.pfx


    Import the certificates on to your device (Copied from the 10.3.1 manual)

    1. Tap Settings > About.
    2. In the Category drop-down list, tap Network.
    3. In the Wi-Fi or USB section, make note of the IPv4 address.
    4. On your computer, navigate to and copy a certificate file:
    (a) If your computer uses a Windows operating system, in a Run command, type the IP address in the following format: \\xxx.xxx.xxx.xxx
    (b) If your computer uses a Windows operating system, open the media\downloads folder. If necessary, enter the username and storage access password
    5. Paste the certificate into the media\downloads or media/downloads folder.
    6. On your device, tap > Security and Privacy > Certificates > Import
    7. Follow the instructions on the screen
    Based on my working setup following the link in my last post, I don't think the -flag clientAuth is now mandatory in the client. In my .p12 file, I do have -name and -caname, so those are possible mandatory fields now.
    02-27-15 12:47 AM
  11. DigiAngel's Avatar
    Thanks to you both...very helpful information!
    02-27-15 05:44 AM
  12. DigiAngel's Avatar
    Converting this to .p12 did the trick...makes sense when I stop and think about it. Small tidbit to know is that you MUST have an export password, 10.3.1 didn't like a missing one. Thanks again for all the help!
    02-27-15 06:30 AM

Similar Threads

  1. Blank Facebook Poke
    By saint613 in forum BlackBerry 10 Apps
    Replies: 14
    Last Post: 05-16-16, 02:26 AM
  2. snapchat or a client
    By bemisal jaura in forum Ask a Question
    Replies: 1
    Last Post: 03-23-15, 10:17 AM
  3. How to reopen initial setup?
    By Sad Hero in forum Ask a Question
    Replies: 5
    Last Post: 02-25-15, 07:33 PM
  4. Direct acces to VPN thanks to shortcut or quick acces
    By baptistan in forum BlackBerry 10 OS
    Replies: 0
    Last Post: 02-25-15, 09:38 AM
  5. Replies: 0
    Last Post: 02-25-15, 02:21 AM
LINK TO POST COPIED TO CLIPBOARD