From 4e4440a31834a915b7e32dcbf8e93ccc19ed54b5 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <17044561+jackivanov@users.noreply.github.com>
Date: Sun, 18 Mar 2018 00:16:22 +0300
Subject: [PATCH] Exclude CA from P12 (#835)

---
 roles/vpn/tasks/openssl.yml               | 1 -
 roles/vpn/templates/client_windows.ps1.j2 | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml
index 1c3e61b..2457ea7 100644
--- a/roles/vpn/tasks/openssl.yml
+++ b/roles/vpn/tasks/openssl.yml
@@ -117,7 +117,6 @@
       -export
       -name {{ item }}
       -out private/{{ item }}.p12
-      -certfile cacert.pem
       -passout pass:"{{ easyrsa_p12_export_password }}"
     args:
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
diff --git a/roles/vpn/templates/client_windows.ps1.j2 b/roles/vpn/templates/client_windows.ps1.j2
index b984ab1..f5ef88b 100644
--- a/roles/vpn/templates/client_windows.ps1.j2
+++ b/roles/vpn/templates/client_windows.ps1.j2
@@ -1,6 +1,7 @@
 
 function AddAlgoVPN {
   certutil -f -importpfx .\{{ item }}.p12
+  certutil -addstore root .\cacert.pem
   Add-VpnConnection -name "Algo VPN {{ IP_subject_alt_name }} IKEv2" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
   Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA384 -DHGroup ECP256 -PfsGroup ECP256  -Force
 }