Need support to combine PKCS#12 with CA file
OpenVPN does support combination of PKCS#12 file and external CA file, thus allowing inclusion of additional authorities. Setting both options "ca" and "pkcs12" is working fine. This is really useful when openvpn server certificate is provided by an authority different from openvpn users' CA (embedded in p12 file), or during a CA migration because it allows a smooth transition from one CA to another.
However, it is not possible at NetworkManager-openvpn level with current behaviour (well described in 9d680108): we can not set additional CA file without breaking p12 use.
In a concrete way, the UI should allow us to generate the following configuration file:
ca=ca.pem
cert=perso.p12
key=perso.p12
And then Network-Manager should be able to handle this in nm-openvpn-service.c the following way:
static void args_add_vpn_certs (GPtrArray *args, NMSettingVpn *s_vpn) {
...
if ( nmovpn_arg_is_set (ca)
&& nmovpn_arg_is_set (cert)
&& nmovpn_arg_is_set (key)
&& nm_streq (cert, key)
args_add_strv (args, "--ca", ca);
args_add_strv (args, "--pkcs12", cert);
else {
if (nmovpn_arg_is_set (ca))
args_add_strv (args, "--ca", ca);
if (nmovpn_arg_is_set (cert))
args_add_strv (args, "--cert", cert);
if (nmovpn_arg_is_set (key))
args_add_strv (args, "--key", key);
}
...
}