From c1afd0f46b45a4adf5ca0cbe92fa0a2ff62d9d49 Mon Sep 17 00:00:00 2001
From: Jack Ivanov <e601809@gmail.com>
Date: Sat, 17 Mar 2018 13:49:05 +0300
Subject: [PATCH] Exclude CA from P12

---
 roles/vpn/tasks/openssl.yml               | 1 -
 roles/vpn/templates/client_windows.ps1.j2 | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml
index 1c3e61bf..2457ea78 100644
--- a/roles/vpn/tasks/openssl.yml
+++ b/roles/vpn/tasks/openssl.yml
@@ -117,7 +117,6 @@
       -export
       -name {{ item }}
       -out private/{{ item }}.p12
-      -certfile cacert.pem
       -passout pass:"{{ easyrsa_p12_export_password }}"
     args:
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
diff --git a/roles/vpn/templates/client_windows.ps1.j2 b/roles/vpn/templates/client_windows.ps1.j2
index b984ab10..f5ef88b7 100644
--- a/roles/vpn/templates/client_windows.ps1.j2
+++ b/roles/vpn/templates/client_windows.ps1.j2
@@ -1,6 +1,7 @@
 
 function AddAlgoVPN {
   certutil -f -importpfx .\{{ item }}.p12
+  certutil -addstore root .\cacert.pem
   Add-VpnConnection -name "Algo VPN {{ IP_subject_alt_name }} IKEv2" -ServerAddress "{{ IP_subject_alt_name }}" -TunnelType IKEv2 -AuthenticationMethod MachineCertificate -EncryptionLevel Required
   Set-VpnConnectionIPsecConfiguration -ConnectionName "Algo VPN {{ IP_subject_alt_name }} IKEv2" -AuthenticationTransformConstants GCMAES128 -CipherTransformConstants GCMAES128 -EncryptionMethod AES128 -IntegrityCheckMethod SHA384 -DHGroup ECP256 -PfsGroup ECP256  -Force
 }