ZyXEL SecuExtender on Mac OSX Import Certificate greyed out

nielsscheldeman

I have to install vpn client on a MAC, but if I want to import the (selfsigned) certificate (PEM → User certificate → certificate.crt) the OK button stays greyed out. On WIndows SecuExtender never had this problem. What am I doing wrong?

nielsscheldeman

Thank god we have Microsoft Windows!

I asked Thegreenbow(manufacturer of SecuExtender) and they advised me to first create the profile on WIndows, export it and then import it on MAC OSX. This seemed to work surprisingly. Now I can hopefully remove that Apple from my desk for a long time.

Zyxel_Judy

Hi @nielsscheldeman ,

To better assist you, could you please provide:

1. Your macOS version
2. Your SecuExtender version
3. A video recording of the certificate import process

If possible, please also share your self-signed certificate so we can try to reproduce the issue.

nielsscheldeman

Mac_Version.png

SecuExtender_VPN_Client_Version.png

Video is via Wetransferlink:

https://we.tl/t-0Lo2jyfLHv

nielsscheldeman

Ok, so I got further, but still not far enough. If I export certificate with key, then I can import it on the MAC. Even better, the VPN connects! Hooray, all set, called client with the good news.

…

Until saving the configuration. The certificate disappears? How? Why? Why doesn't saving the config, saves the certificate? Is this something with rights on OSX?

If I create a dummy TLS and import certificate in there, then it does save…

Zyxel_Judy

Hi @nielsscheldeman ,

• Method 1 - Recommended Approach:
  

We strongly recommend using the "Get from Server" method to obtain the IKEv2 configuration file on your Mac system. This approach bypasses the need for manual certificate importation and helps avoid security setting complications from Mac system.

https://community.zyxel.com/en/discussion/12522/remote-access-vpn-wizard-for-secuextender-ipsec-and-non-secuextender-ipsec-vpn-clients

• Method 2 - Manual Certificate Import - your initial approach:
  

If you need to manually import the certificate in SecuExtender on Mac, you need follow these steps:
1/ Import the certificate into your Mac through the "Keychain Access" software and "Trusted" it
2/ Under SecuExtender > Certificate, select the certificate

nielsscheldeman

Method 1 isn't possible. VPN Tunnel is created long time ago and is in use for many Windows users which works fine. Since it isn't done by Wizard, I can't export OSX config(correct me if I'm wrong)

Method 2: imported (self signed) certificate in keychain works if I don't export certificate from FLEX with password. If I export with password, it always says password is wrong, in SecuExtender the password is accepted.

So it is now imported, but I don't see it in SecuExtender. I can only import it if I set password on the certificate(opposite way of keychain). I go to Certificate, Import Certificate, P12 format, select certificate. VPN works!

Now save config, certificate is gone and VPN won't work anymore.

nielsscheldeman

Thank god we have Microsoft Windows!

I asked Thegreenbow(manufacturer of SecuExtender) and they advised me to first create the profile on WIndows, export it and then import it on MAC OSX. This seemed to work surprisingly. Now I can hopefully remove that Apple from my desk for a long time.