Skip to main content

Hi guys,

I've been left in charge of getting our MacBooks configured to talk to our IKEv2-based VPN. Unfortunately, the person that set all this up server-side has long since left the organization.

I've been provided with a ZIP containing the following files:

openssl.cnf company.com.csr company.com.key company.com.crt.txt gen-csr company.com.crt

...and PKI is not really my strong point yet. Can anyone advise how I can go about creating a certificate bundle that will be suitable for the System Keychain (we use device-based authentication).

If all goes well then the next step would be for me to create a configuration profile in Jamf containing the relevant certificate.

So if I try:

openssl pkcs12 -export -inkey company.com.key -in company.com.crt -out newcert.p12

....I get the message:

No certificate matches private key

....and if I concatenate the .crt and .key files via:

cat company.com.crt company.com.key > server.pem

The System Keychain will import the server.pem but it doesn't recognize the private key, and therefore System Preferences > Network > VPN won't see the relevant certificate.

Any ideas most welcome!

Could be that your cert is the wrong format.

Try this:
Convert the certificate: openssl x509 -inform DER -outform PEM -in company.com.crt -out company.com.pem

Build the PKCS#12: openssl pkcs12 -inkey company.com.key -in company.com.pem -export -out newcert.p12

Found here: Stack Overflow

@merps The first command gives me the following output:

unable to load certificate
4589028972:error:0DFFF0A8:asn1 encoding routines:CRYPTO_internal:wrong tag:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/asn1/tasn_dec.c:1125:
4589028972:error:0DFFF03A:asn1 encoding routines:CRYPTO_internal:nested asn1 error:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.260.1/libressl-2.6/crypto/asn1/tasn_dec.c:306:Type=X509
Terms & ConditionsCookie settingsAccessibility statement