Re: [44net] Amprnet VPN setup, root CAs

On Mon, 19 Oct 2015, Steve L wrote: The catch is that there are two or three CAs and two key+certificate pairs in the play: 1. The server needs to have its own certificate, for the server hostname, CN=vpnserver.yourdomain.com, which is signed by a CA that the client trusts. This is probably what you've had before. This is used by the client to make sure it's talking to the correct server. LoTW things are not used for this process, as they do not give out server CAs for DNS hostnames. This CA's sertificate is used as the cacert (trusted CA) by the client openvpn. 2. The client certificates, which come from LoTW. The LoTW root CA certificate(s?) need to be installed on the server ("ca lotw-ca-cert.pem"). 3. The LoTW client certificate is not directly signed by the LoTW root CA, but another CA called an Intermediate CA (LoTW calls them "production CAs"), which have a shorter lifetime, and get rotated more often over time. Their root CA signs the intermediate CA certificate, which in turn signs the client certificates. The client gets the intermediate CA certificate in the client cert bundle from LoTW, and can then provide the intermediate certificate to the server when connecting. The wiki page I wrote describes how to extract the client and intermediate certificates, and how they are concatenated to a single file, which is then given to the openvpn client "cert client-certs.pem", which presents both of them to the server. http://wiki.ampr.org/index.php/AMPRNet_VPN - Hessu