Thanks Corey that is the info I was seeking.
For anyone else with further clarification:
Server Side:
- ca.crt = The latest LotW Root CA cert
certs\root*, you need to break them apart an select the latest one
- server.crt* = Your personal LotW cert concatenated with the intermediate that signed it.
certs\user* + certs\authorities*
- server.key = The private key associated with your personal cert
keys\YOURCALL*
*References are to the Windows TQSL program: C:\Documents and Settings\your-username\Application Data\TrustedQSL\
On Thu, 17 Mar 2016, Steve L wrote:
For anyone else with further clarification:
Server Side:
- ca.crt = The latest LotW Root CA cert
certs\root*, you need to break them apart an select the latest one
Actually, to support clients with certificates which have been signed by one of the older certs, you should supply all of those LotW certificates in ca.crt. Yes, you can have them all in there, concatenated, OpenVPN will support that.
- server.crt* = Your personal LotW cert concatenated with the
intermediate that signed it.
I don't think that will work. Your personal LotW cert does not contain "key usage" parameters that would allow it to be used as a server certificate, so the openvpn client probably will reject it. (If it doesn't, it is misconfigured.)
You should set up a private CA and have it issue a server certificate to be used for the server cert, and the client should use that private CA's certificate as the "ca cert".
certs\user* + certs\authorities*
- server.key = The private key associated with your personal cert
keys\YOURCALL*
*References are to the Windows TQSL program: C:\Documents and Settings\your-username\Application Data\TrustedQSL\ _________________________________________ 44Net mailing list 44Net@hamradio.ucsd.edu http://hamradio.ucsd.edu/mailman/listinfo/44net
- Hessu
On Fri, Mar 18, 2016 at 1:24 AM, Heikki Hannikainen hessu@hes.iki.fi wrote:
you should supply all of those LotW certificates in ca.crt. Yes, you can have them all in there, concatenated, OpenVPN will support that.
I didn't realize OpenVPN would accept multiple Root CAs. That's great.
- server.crt* = Your personal LotW cert concatenated with the
intermediate that signed it.
I don't think that will work. Your personal LotW cert does not contain "key usage" parameters that would allow it to be used as a server certificate, so the openvpn client probably will reject it. (If it doesn't, it is misconfigured.)
You should set up a private CA and have it issue a server certificate to be used for the server cert, and the client should use that private CA's certificate as the "ca cert".
Checking for server key usage in OpenVPN is an optional configuration of the client. Going through the extra steps of creating your own root CA and distributing it to your clients is only necessary if you want your them to turn that check on. The only benefit of doing that would be to prevent other LotW certificate holders from being able to impersonate your server after a successful man-in-the-middle attack on your external network traffic or DNS. They wouldn't be able to do that to you without exposing their own identity (by proving they have access to the private key of their LotW cert).
-
Cory (NQ1E) -
Heikki Hannikainen -
Steve L