[Freeipa-users] Openvpn and Certificates
Nalin Dahyabhai
nalin at redhat.com
Wed Apr 1 18:02:34 UTC 2015
On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote:
> I understand from previous discussions that client certificates are not yet
> supported in FreeIPA, instead I understand one can use "service
> certificates". From an OpenVPN standpoint I'm guessing this is fine because
> a vpn client can be entered in Freeipa as a client and a certificate
> generated for it. This might actually be a preferred model for VPN.
>
> My OVPN server config looks like this:
> ca ca.crt
> cert server.crt
> key server.key
> # Diffie hellman parameters.
> dh dh2048.pem
>
> I guess I can use the
> "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r"
> command to generate the server.crt and private.key and I know where to find
> ca.crt however:
Unless there are other requirements on the contents of the certificate,
I'd expect that to work.
I see mention in the docs of optionally requiring that a peer
certificate include a particular value in its nsCertType extension
(support for that's not currently planned AFAIK), or a particular value
in its extendedKeyUsage (EKU) extension (there's a ticket [1] for
supporting that), but you're not setting such a requirement above.
> - How about the Diffie hellman parameters?
> - Is dh2048.pem just a bunch of shared primes that enable the two parties
> to establish encryption together?
Yes to both. I'm going by the PKI section of the howto [2] and the man
page here.
> - Is it bad If this file is compromised?
The howto and man pages say it's not required to be kept secret, and the
secrecy of a key that's generated using DH key agreement doesn't depend
on the parameters being kept secret, so I'd say no.
HTH,
Nalin
[1] https://fedorahosted.org/freeipa/ticket/2915
[2] https://openvpn.net/index.php/open-source/documentation/howto.html#pki
More information about the Freeipa-users
mailing list