Preparation

  1. Put the client certificate and the client private key on the eToken or smartcard.
  2. Optional: Put the CA certificate on the eToken or smartcard.
  3. In Setup, go to Security > Smartcard > PC/SC.
  4. Enable Activate PC/SC Daemon.
  5. In Setup, go to Security > Smartcard > Middleware.
  6. Activate the matching PKCS#11 module for your eToken / smartcard.

Configuration

  1. In Setup, go to Network > VPN > OpenVPN and create a new connection.
  2. In the Session section for the new connection, enter the name or public IP address of the OpenVPN Server.
  3. Select Certificate on eToken or Smartcard as the Authentication Type.
  4. Select the Location of CA certificate:
    • File: Use the text input field for entering either an absolute file path or one relative to /wfs/OpenVPN/. Alternatively, use the file picker.
    • eToken or Smartcard: The CA certificate is provided on the eToken or smartcard.
    • Systemwide store: The CA Certificate is either pre-installed by IGEL (see *._CA-certificates.txt files on http://www.myigel.biz) or has been deployed as a file with the classification SSL Certificate via UMS.
  5. Optional: If there is more than one certificate on the eToken or smartcard, the following fields can be used to match the desired certificate:
    1. Client certificate CN or DN: Enter the client certificate Common Name (CN), its Distinguished Name (DN) or parts thereof.
    2. The PKCS#11 token label or OpenVPN Serialized ID may also be used.
  6. Click an icon for the newly created session (e.g. in the Start Menu) to initiate the connection.

    The user will be prompted for the PIN of the eToken (alphanumeric) or smartcard (digits only) if necessary.

    Authenticating With Certificate on eToken or Smartcard