<PAGE>

<INCLUDE file="inc/header.tmpl" />

<VAR match="VAR_SEL_STARTED" replace="selected" />

<VAR match="VAR_SEL_CONNECTING" replace="selected" />

<PARSE file="menu1.xml" />

<PARSE file="menu2-started.xml" />

<INCLUDE file="inc/content.tmpl" />

<p>Once you have <a href="building.html">installed</a> OpenConnect and checked that you have a

<a href="vpnc-script.html">vpnc-script</a> which will set up the routing and DNS for it, using OpenConnect

<ul>

<li><tt>openconnect https://vpn.mycompany.com/</tt></li>

</ul>

<ul>

<li><tt>openconnect --protocol=gp https://vpn.mycompany.com/</tt></li>

</ul>

</p>

<p>That should be it, if you have a password-based login. If your VPN uses

<a href="https://en.wikipedia.org/wiki/Client_certificate">TLS/SSL client certificates</a> for authentication,

you'll need to tell OpenConnect where to find the certificate with the <tt>-c</tt> option.</p>

<p>You can provide the certificate either as the file name of a PKCS#12 or PEM file,

or if OpenConnect is built against a suitable version of GnuTLS you can provide the

<li><tt>openconnect -c cert_and_private_key.pem https://vpn.mycompany.com/</tt></li>

<li><tt>openconnect -c certificate.pem -k private_key.pem https://vpn.mycompany.com/</tt></li>

</ul>

</p>

See the <a href="manual.html">manual</a> for additional options which can be used to tune

OpenConnect's connections, and automate various aspects of the authentication process (e.g.

populating multi-factor authentication codes using RSA- or OATH-based soft tokens).

</p>

<p>If your certificate is in the system certificate store, OpenConnect should be able

to use it when built against GnuTLS, as a "<a href="https://www.gnutls.org/manual/html_node/Application_002dspecific-keys.html">system key</a>".

</p>

<p>

To find the <tt>system:win:…</tt> URI to use for your key with the <tt>list-system-keys.exe</tt>

tool included with OpenConnect. Its output might look something like the following:

<table border="1"><tr><td><pre>

Label: (null)

Cert URI: system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe;type=cert

Key URI: system:win:id=37835fdcdfe2817ee22d6b161e54812fe95867fe;type=privkey

Cert info: subject `CN=d1ab215ccab521bc', issuer `CN=Token Signing Public Key', serial 0x2ce0193a3ecf4da9f0591cee9158e48ec53a8e54, RSA key 1024 bits, signed using DSA-SHA1 (broken!), activated `2020-05-07 06:48:59 UTC', expires `2020-05-14 06:48:59 UTC', pin-sha256="2XOidBPfppXj4REiuj9fIE3UYQK6TTQIODQajIOiLFi="

</pre></td></tr></table>

You can choose the certificate you need to use, and provide it to OpenConnect with the <tt>-c</tt> argument as shown in the last example above; omitting the <tt>;type=</tt> part.</p>

<p>

Note that as of the time of writing (2022-05-22; GnuTLS v3.7.5), GnuTLS is only able to use keys from the <tt>CERT_SYSTEM_STORE_CURRENT_USER</tt> store in Windows,

not the <tt>CERT_SYSTEM_STORE_LOCAL_MACHINE</tt> or <a href="https://docs.microsoft.com/en-us/windows/win32/seccrypto/system-store-locations">other locations</a>.

This is reported as <a href="https://gitlab.com/gnutls/gnutls/-/issues/1365">GnuTLS issue #1365</a>.

</p>

<p>

Even where the certificate is marked as "non-exportable", some have succeeded in stealing

certificates from their Windows certificate store using tools like

<a href="https://github.com/iSECPartners/jailbreak">Jailbreak</a> and

<a href="https://krestfield.github.io/docs/pki/exporting_a_nonexportable_certificate.html">mimikatz</a>.

</p>

<INCLUDE file="inc/footer.tmpl" />

</PAGE>