It is also possible to create Provisioning Profiles having no .p12 payload. In this case key and cert have to be embedded in the VPN settings.
Please see this sample file below:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>PayloadContent</key> <array> <dict> <key>IPv4</key> <dict> <key>OverridePrimary</key> <integer>0</integer> </dict> <key>PayloadDescription</key> <string>Configures VPN settings</string> <key>PayloadDisplayName</key> <string>VPN</string> <key>PayloadIdentifier</key> <string>com.apple.vpn.managed.C69FB197-D553-4A78-B024-CBCCFD7F731F</string> <key>PayloadType</key> <string>com.apple.vpn.managed</string> <key>PayloadUUID</key> <string>C69FB197-D553-4A78-B024-CBCCFD7F731F</string> <key>PayloadVersion</key> <integer>1</integer> <key>Proxies</key> <dict> <key>HTTPEnable</key> <integer>0</integer> <key>HTTPSEnable</key> <integer>0</integer> </dict> <key>UserDefinedName</key> <string>test client</string> <key>VPN</key> <dict> <key>AuthName</key> <string>DEFAULT</string> <key>AuthenticationMethod</key> <string>Password</string> <-------- NOTE: IMPORTANT WHEN NOT APPENDING A .P12 PAYLOAD <key>RemoteAddress</key> <string>DEFAULT</string> </dict> <key>VPNSubType</key> <string>net.openvpn.connect.app</string> <--------- NOTE: CHANGED SINCE v1.2.5 <key>VPNType</key> <string>VPN</string> <key>VendorConfig</key> <dict> <key>ca</key> <string>-----BEGIN CERTIFICATE-----\nxxxxxxxxx\n-----END CERTIFICATE-----\n</string> <key>cert</key> <string>-----BEGIN CERTIFICATE-----\nxxxxxxxxxx\n-----END CERTIFICATE-----\n</string> <key>cipher</key> <string>AES-256-CBC</string> <key>client</key> <string>NOARGS</string> <key>dhcp-option</key> <string>DNS 8.8.8.8</string> <key>key</key> <string>-----BEGIN PRIVATE KEY-----\nxxxxxxxxxx\n-----END PRIVATE KEY-----\n</string> <key>remote</key> <string>192.168.1.192 1194 udp</string> <key>vpn-on-demand</key> <string>0</string> </dict> </dict> </array> <key>PayloadDisplayName</key> <string>client-LAN</string> <key>PayloadIdentifier</key> <string>myidentifier.01C011CB-5A34-486B-ACAC-699374A9D772</string> <key>PayloadRemovalDisallowed</key> <false/> <key>PayloadType</key> <string>Configuration</string> <key>PayloadUUID</key> <string>EF2888C0-F204-4B17-BF46-3FD16493C9B2</string> <key>PayloadVersion</key> <integer>1</integer> </dict> </plist>