On Mon, 19 Oct 2015, Steve L wrote:
(Please trim inclusions from previous messages) _______________________________________________
Does anyone know if OH7LZB ever documented anywhere how to setup the server end of the OpenVPN that validates using the LoTW CA?
The server end is stock openvpn, so you may use the openvpn config instructions / documentation to set it up. Nothing fancy, .
I have and have been using a stock openvpn server with my own generated certificate authority, server keys. All is fine there.
I tried replacing the certificate authority with the amprnet-vpn-ca.crt (lotw) file, and all I get is TLS key handshake/negotiation failed messages when I try and connect. So there is something I am not understanding on if the server keys have to be built specific CA to that somehow?
The catch is that there are two or three CAs and two key+certificate pairs in the play:
1. The server needs to have its own certificate, for the server hostname, CN=vpnserver.yourdomain.com, which is signed by a CA that the client trusts. This is probably what you've had before. This is used by the client to make sure it's talking to the correct server. LoTW things are not used for this process, as they do not give out server CAs for DNS hostnames. This CA's sertificate is used as the cacert (trusted CA) by the client openvpn.
2. The client certificates, which come from LoTW. The LoTW root CA certificate(s?) need to be installed on the server ("ca lotw-ca-cert.pem").
3. The LoTW client certificate is not directly signed by the LoTW root CA, but another CA called an Intermediate CA (LoTW calls them "production CAs"), which have a shorter lifetime, and get rotated more often over time. Their root CA signs the intermediate CA certificate, which in turn signs the client certificates. The client gets the intermediate CA certificate in the client cert bundle from LoTW, and can then provide the intermediate certificate to the server when connecting.
The wiki page I wrote describes how to extract the client and intermediate certificates, and how they are concatenated to a single file, which is then given to the openvpn client "cert client-certs.pem", which presents both of them to the server.
http://wiki.ampr.org/index.php/AMPRNet_VPN
- Hessu