Troubleshooting certificates – equinux VPN Tracker 6.4.6 User Manual

Troubleshooting Certificates

Most errors can be resolved quickly by carefully following the hints given by
VPN Tracker in its log. However, here are some frequently asked questions that
cannot be covered by the log hints.

My connection works fine, but I am prompted for my keychain password or
keychain access permission every time I connect

‣ If you are using a smart card, this behavior is inherent to the way smart

cards work, storing the access code is not possible

‣ If you are using normal certificates stored in your keychain, please make

sure the Mac OS X keychain subsystem has write access to the keychain
that your certificate and private key are stored in, and to the folder the key-
chain is in. You can run the

Keychain First Aid tool that is part of Keychain

Access (Keychain Access > Keychain First Aid) to verify permissions.

My certificate is only in the Remote Certificate list, however, I want to select
it as the Local Certificate

A certificate that is to be used as the local certificate must have its private key
stored in the keychain (or on the smart card). If a certificate does not have a
private key available, it will not be displayed in the Local Certificates list.

I cannot add my certificate to the keychain: Keychain Access keeps
complaining that the certificate already exists, but I searched for it and it is
not there!

A certificate is uniquely identified by the combination of issuer (i.e. the certifi-
cate authority signing it), and the serial number. If your keychain already con-
tains a certificate issued by the same certificate authority with the same serial
number, it will not be possible to add another certificate with the same issuer
and serial number combination, even though the rest of the certificate may
be completely different.

Unfortunately, it is fairly easy to accidentally create certificates with duplicate
serial numbers when using the Mac OS X Certificate Assistant. There are two
possible ways of resolving this problem:

‣ Recreate the certificate using an unused serial number (in Certificate Assis-

tant, check the box “Let me override defaults” to modify the serial number)

If you do not have the possibility to recreate the certificate, put
the offending certificate into a separate keychain

I followed the advice in the log and double-checked my configuration, but
the connection still fails

Before contacting technical support, please run the Keychain First Aid tool
that is part of Keychain Access (Keychain Access > Keychain First Aid). Then try
connecting again. Also double-check that you have selected the correct cer-
tificates. A certificate authority (CA) certificate should never be selected as the
local or remote certificate.

If the problem persists, and you need to contact us, please include the follow-
ing information with your support request:

‣ A Technical Support Report from VPN Tracker (Help > Generate Technical

Support Report)

‣ Screenshots of the VPN configuration on your VPN gateway, if possible
‣ The output of the Terminal command

security dump-keychain

(pre-

ferred), or

screenshots of the details of all certificates used with the con-

nection: In Keychain Access, select each certificate and choose “File > Get
Info”. Make sure the details are visible (click the triangle, if necessary) and
take a screenshot of the details.

76