[Freeipa-users] Openvpn and Certificates

Andrew Holway andrew.holway at gmail.com
Wed Apr 1 19:11:54 UTC 2015 

On 1 April 2015 at 20:02, Nalin Dahyabhai <nalin at redhat.com> wrote:

> On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote:
> > I understand from previous discussions that client certificates are not
> yet
> > supported in FreeIPA, instead I understand one can use "service
> > certificates". From an OpenVPN standpoint I'm guessing this is fine
> because
> > a vpn client can be entered in Freeipa as a client and a certificate
> > generated for it. This might actually be a preferred model for VPN.
> >
> > My OVPN server config looks like this:
> > ca ca.crt
> > cert server.crt
> > key server.key
> > # Diffie hellman parameters.
> > dh dh2048.pem
> >
> > I guess I can use the
> > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r"
> > command to generate the server.crt and private.key and I know where to
> find
> > ca.crt however:
>
> Unless there are other requirements on the contents of the certificate,
> I'd expect that to work.
>

ipa service-add-host --hosts ipa.domain.de client/
andrews-macbook-air.local.domain.de

ipa-getcert request -f
/var/lib/certmonger/requests/Andrews-MacBook-Air.local.crt -k
/var/lib/certmonger/requests/Andrews-MacBook-Air.local.key -N CN=
andrews-macbook-air.local.domain.de -D andrews-macbook-air.local.domain.de
-K client/andrews-macbook-air.local.domain.de at DOMAIN.DE

-- Then shuffle the keys and certs around --

-- Restart OpenVPN --

And et voila! It works! Although it does feel a bit hacky :)


The GUI has some weird advice that did not make much sense when I did:
Actions -> New Certificate:

Issue New Certificate for Host andrews-macbook-air.local.domain.de

Create a certificate database or use an existing one. To create a new
database:
# certutil -N -d <database path>
Create a CSR with subject CN=<hostname>,O=<realm>, for example:
# certutil -R -d <database path> -a -g <key size> -s 'CN=
andrews-macbook-air.local.otternetworks.de,O=OTTERNETWORKS.DE'
Copy and paste the CSR (from -----BEGIN NEW CERTIFICATE REQUEST----- to
-----END NEW CERTIFICATE REQUEST-----) into the text area below:





>
> I see mention in the docs of optionally requiring that a peer
> certificate include a particular value in its nsCertType extension
> (support for that's not currently planned AFAIK), or a particular value
> in its extendedKeyUsage (EKU) extension (there's a ticket [1] for
> supporting that), but you're not setting such a requirement above.
>
> > - How about the Diffie hellman parameters?
> > - Is dh2048.pem just a bunch of shared primes that enable the two parties
> > to establish encryption together?
>
> Yes to both.  I'm going by the PKI section of the howto [2] and the man
> page here.
>
> > - Is it bad If this file is compromised?
>
> The howto and man pages say it's not required to be kept secret, and the
> secrecy of a key that's generated using DH key agreement doesn't depend
> on the parameters being kept secret, so I'd say no.
>
> HTH,
>
> Nalin
>
> [1] https://fedorahosted.org/freeipa/ticket/2915
> [2] https://openvpn.net/index.php/open-source/documentation/howto.html#pki
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150401/419d577b/attachment.htm>

More information about the Freeipa-users mailing list