[Freeipa-users] Openvpn and Certificates
Anthony Messina
amessina at messinet.com
Wed Apr 1 23:37:11 UTC 2015
On Wednesday, April 01, 2015 07:02:56 PM Andrew Holway wrote:
> Hello,
>
> After following Alexanders advice to use sssd/pam for OpenVPN with OTP I
> have it all working rather nice but with self signed certificates which is
> not ideal.
>
> (This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP
> android app. wtf??!! :)
>
> I'm scratching around trying to find a way to provide server and client
> certificates but, to be honest, my understanding of certificates is not
> good enough to be able to take the leap.
>
> I understand from previous discussions that client certificates are not yet
> supported in FreeIPA, instead I understand one can use "service
> certificates". From an OpenVPN standpoint I'm guessing this is fine because
> a vpn client can be entered in Freeipa as a client and a certificate
> generated for it. This might actually be a preferred model for VPN.
>
> My OVPN server config looks like this:
> ca ca.crt
> cert server.crt
> key server.key
> # Diffie hellman parameters.
> dh dh2048.pem
>
> I guess I can use the
> "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r"
> command to generate the server.crt and private.key and I know where to find
> ca.crt however:
> - How about the Diffie hellman parameters?
> - Is dh2048.pem just a bunch of shared primes that enable the two parties
> to establish encryption together?
> - Is it bad If this file is compromised?
>
> Thanks,
>
> Andrew
https://fedorahosted.org/freeipa/ticket/2915 says it's planned for 4.2, which
I'm hoping for, since I want to have more of the certificate functionality of
Dogtag exposed. To use all the bells and whistles that OpenVPN can check on
certificates, FreeIPA needs to support setting custom parameters on service
certificates, which right now, it cannot do. -A
--
Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: This is a digitally signed message part.
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150401/6aec0d70/attachment.sig>
More information about the Freeipa-users
mailing list