Comment 39 for bug 453807

Looking futher in the code, I realized that the problem may be that the developers of the program don't want to support unencrypted private key certificates because they are a security risk. Encrypted private key certificates have the .pem extension instead of .key, and network-manager stores a secret for them in the keyring: the password needed to decrypt the key certificate.

What we may be seeing here is a disconnect between the configuration user interface (which does allow the user to specify an unencrypted key certificate) and the connection back-end (which refuses to work with a not-very-helpful error message when the user configures the VPN this way).

So, another workaround to get this working is to use encrypted private key certificates, but if it is the developer's intent to force the use of such keys, then the UI should not allow the user to select a plaintext key file, and provide a helpful message explaining why it is not allowed, and how to obtain an encrypted key from a plaintext one (openssl rsa -in somecert.key -des3 -out somecert.pem).