Local certificate, Remote certificate, Identifiers based on certificates – equinux VPN Tracker 8.1.1 User Manual

Local Certificate

The local certificate is the certificate you are using to identify to the VPN
gateway as a user/client. It is sometimes called client certificate or user certifi-
cate. A private key is required for the local certificate, since it must sign mes-
sages to the VPN gateway.

If you cannot find your certificate here even though you have imported it into
the OS X keychain, make sure the corresponding private key is also available
in the keychain. You can easily check that by selecting the “My Certificates”
category in Keychain Access. If it does not appear there, the private key is
missing.

Inspecting a Certificate

Click the triangle to see the details for the selected certificate.

Remote Certificate

The remote certificate is the VPN gateway’s certificate. A private key is not
needed. There are two options:

‣ Select your VPN gateway’s certificate or
‣ Select “Use certificate supplied by peer”

1

to use the certificate the VPN

gateway sends upon connecting, and verify it against the certificate
authorities installed on your Mac. If verification fails, you will be prompted
to verify the certificate manually.

Even though CA certificates may show up in the list, you should
selecting a CA certificate as the remote certificate will not work.

Certificates and Exported Connections

Certificates are never included in an exported connection, since most or-
ganizations with a PKI infrastructure already have well-established (and se-
cure) procedures of distributing certificates to users in place. The exported
connection

does include the information which certificates were selected.

When exporting an unlocked connection:

‣ If the selected certificates are present on the recipient’s Mac, VPN Tracker

will use these certificates

‣ If the selected certificated do not exist on the recipient’s Mac, the recipi-

ent will be able to select different certificates

When exporting a locked connection:

‣ The recipient will not be able to edit their VPN connection settings. It is

therefore important to select the correct certificates before exporting

Identifiers Based on Certificates

It is possible to use the information from certificates as an identifier for the
VPN connection. To do this, set the Local (Remote) Identifier to Local (Remote)
Certificate". VPN Tracker will then use the certificate’s information (such as
subject, organization, country etc.) as the identifier for the connection.

Certificate Identifier Types

A “Local (Remote) Certificate” identifier will technically be sent as an identi-
fier of type ASN.1 Distinguished Name (DN). On your VPN gateway, such an
identifier may also be called simply Distinguished Name or Subject.

Advanced Certificate Settings

There are several settings on the Advanced tab that influence how certificates
are verified. These options should usually be left enabled. For more informa-
tion, see the

→ Settings Reference

77

1

Locked connections require the VPN gateway certificate or a trusted CA that signed the certificate. If your VPN gateway is not capable of transmitting its certificate, the certificate is always required.