Openvpn : connect error: Missing External PKI alias

Question

I just setup a openvpn server version 2.4.4, it work well with Openvpn client in Windows and Android, but error in Mac OS.

Tue Dec 10 10:50:31 2019 OMI Connecting to /Library/Application Support/OpenVPN/sock/ovpn-KTMpKfLsCR5a.sock [unix]
Tue Dec 10 10:50:35 2019 CLIENT_EXCEPTION : connect error: Missing External PKI alias [FATAL-ERR]
Tue Dec 10 10:50:35 2019 >FATAL:CLIENT_EXCEPTION: connect error: Missing External PKI alias

I'm testing in MacOS version 10.4.4 and Openvpn client 2.7.1.100. Below is client.ovpn

client
dev tun
proto tcp-client
remote vpn01 9443
resolv-retry infinite
cipher AES-256-CBC
redirect-gateway

# Keys
# Identity
key-direction 1
remote-cert-tls server
auth-user-pass
auth-nocache

# Security
nobind
persist-key
persist-tun
comp-lzo
verb 3

# Proxy ?
# http-proxy cache.univ.fr 3128
<ca>
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIUdu/viXgfwhA+wu0K49vvnXaCyFkwDQYJKoZIhvcNAQEL
BQAwHDEaMBgGA1UEAwwRdnBuMDEuaG9tZWNjYS5jb20wHhcNMTkxMjA5MTA1NTQ5

Any ideas or what might causing this issue?

Answer 1

I had this same problem with OpenVPN Connect client on MacOS - I switched to TunnelBlick client software, and using same .ovpn file it worked fine. Have not been able to find any clues on why OpenVPN Connect does not work though.

Answer 2

You should try to edit your *.ovpn profile:

Delete your profile in the openvpn client and then edit the .ovpn file you exported from the server and add the following line before

client-cert-not-required

I get this answer from https://forum.opnsense.org/index.php?topic=14687.0

This error was before:

Profile modification fixed this error.

Answer 3

External PKI implies that OpenVPN Connect client uses 'external certificate' compared to its configuration 'profile', the .ovpn file that can also have inline PEM ceritificates. In my understanding, this external PKI can be a certificate inside Windows crtmgr or macOS Keychain certificate stores (or those in mobile devices). In case of Windows, it's easy and it works. macOS is an another story.

Currently (as 2020-04) Catalina is the latest macOS release and it has only CryptoTokenKit (CTK) framework, Tokend is gone. When using hardware security modules (HSM), smartcards, USB-tokens, those do not appear in Keychain anymore like they did with Tokend. Don't understand why. And if this 'external PKI' is really looking that certificate from Keychain, this is a problem.

https://openvpn.net/vpn-server-resources/external-public-key-infrastructure-pki/

says

On the client, the server-locked profile can only be used to make a VPN 
tunnel connection if a suitable client certificate/key pair has already
been installed into the host OS Keychain or certificate/key store. Some 
hardware devices or tokens contain a certificate inside that is registered 
with the certificate store with additional software when the token 
device/card is plugged in.

and from rest of the page and what I've read elsewhere, I guess that this missing Alias is name that would map that certificate inside Keychain to given connection attempt. Not sure thou.

In my understanding, the real problem is that Connect client is looking certificates from Keychain and Apple's switch to CTK broke it. Even those hardware tokens are working in system, they don't appear in Keychain. I was looking solutions to undo this change and stumbled to keychain-pkcs11 which says:

https://github.com/kenh/keychain-pkcs11/blob/master/man/keychain-pkcs11.man

will provide two virtual PKCS#11 slots. The first slot will provide all
identities that are available from connected SmartCards.  The second slot
will provide an interface to certificates stored in the operating system
Keychain.

which is not exactly what I was looking for. It provides those Keychain certs outside to pkcs#11 plugin, but doesn't fill HSM certs to Keychain.

A bit hard to solve problem once you're exactly sure did I understand the actual problem picture correctly, let alone figure out the solution to it. :)