OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

How do I use a client certificate and private key from the iOS Keychain?


Using the iOS keychain to store your private key has the added security advantage of leveraging on the hardware-backed keystores that exist on many iOS devices, allowing the key to be protected by the iOS-level device password, and preventing key compromise even if the device is rooted.

If you already have your client certificate and private key bundled into a PKCS#12 file (extension .p12 or .pfx), you can import it into the app private section of the iOS Keychain using Mail, Safari or iTunes. Note sure that the file extension has to be changed to .ovpn12 for the file to be picked up by the OpenVPN Connect App (and not by iOS).

Note that on iOS, when you import a PKCS#12 file into the Keychain, only the client certificate and private key are imported. The CA (certificate authority) certificates are NOT imported (unless you manually extract the CA certificates and import them separately, one-at-a-time). Therefore, the CA list must be given in the profile using the ca directive. If you already have a PKCS#12 file, the CA list may be extracted from the file using this openssl command, where the CA certs in client.p12 are written to ca.crt:

openssl pkcs12 -in client.p12 -cacerts -nokeys -out ca.crt

Then add a reference to ca.crt to your profile:

ca ca.crt

or paste the contents of ca.crt directly into your profile:

paste contents of ca.crt here

If you don't have a PKCS#12 file, you can convert your certificate and key files into PKCS#12 form using this opensslcommand (where certkey, and ca are your client certificate, client key, and root CA files).

openssl pkcs12 -export -in cert -inkey key -certfile ca -name MyClient -out client.ovpn12

Then import the client.ovpn12 file from the previous step into the app using Mail or Safari.

Once this is done, remove the cert and key directives from your .ovpn file and re-import it, making sure that the cadirective remains. Once imported, any profile that lacks cert and key directives will cause a Certificate row to appear on the main view, allowing the profile to be linked with an Identity from the iOS Keychain (on iOS, an Identity refers to a certificate/private-key pair that was previously imported using a PKCS#12 file). Touch the Certificate row and select the MyClient certificate. At this point, you should be able to connect normally.

Note that the iOS Keychain is accessible by the app only after the user has unlocked the device at least once after restart. For this reason a profile requiring a certificate stored in the Keychain to connect won't be able to do so automatically after restart.
This is a security measure to prevent an unknown person to access a VPN network using a device that was previously switched off.