Tal, thanks for the follow up.
Most of that I already knew. As I have said, I have a functioning openvpn server. The only thing it lacks is the ability to work with client keys that folks extract from their lotw credentials. I have to issue client keys to people and that is what I am trying to get away from.
I really need a watered down step by step guide on how to do this till it all clicks in my mind. Multi-factor authentication is pretty confusing and new to me yet.
As I have said the client key extraction and documentation in the wiki is easy to understand, I just wish the same existed for the server end.
http://wiki.ampr.org/wiki/AMPRNet_VPN
It appears I need to build certificate signing request (maybe I am wrong). Again its not clear to me where/how to extract the root certificate from the ARRL LOTW program.
"Again its not clear to me where/how to extract the root certificate from the ARRL LOTW program".
AFAIK, tQSL program itself doesn't contain this. All necessary certificates (root, ca) and keys are imported from <call-sign>.tq6 file sent to the callsign owner.
BTW, I have OpenVPN server running too, capable of assigning 44.165.15.xx addresses. Thanks to GURU Rob/PE1CHL for nifty tips on how to issue all-in-one end user config file.
Best regards --- Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com
On Tue, 15 Mar 2016, SP2L Tom wrote:
(Please trim inclusions from previous messages) _______________________________________________ "Again its not clear to me where/how to extract the root certificate from the ARRL LOTW program".
AFAIK, tQSL program itself doesn't contain this. All necessary certificates (root, ca) and keys are imported from <call-sign>.tq6 file sent to the callsign owner.
That's correct. I don't know if the ARRL root certs are officially published anywhere, where you could download them all easily.
One way to get them is to set up LotW, get a certificate for yourself from ARRL (they have that part documented well), and when you import your own personal certificate to the tQSL program, you get the root certs too as a side effect. They can then be found somewhere in the app's data directory (or within the .tq6 file, just open it up with a text editor and they're pretty obvious).
- Hessu, OH7LZB
Trying to do this could get real complicated real fast.
The first issue is that there are multiple root CAs. I think it's been over a year now since they started using the newest CA, so within another year or so there shouldn't be anyone left with certificates based on the previous root CA.
The other problem is that end-user certs aren't signed directly by the root CA like OpenVPN expects. There may be a way to get OpenVPN to trust them if the intermediate CA cert was included. However, OpenVPN doesn't natively support specifying a cert chain. It may still be possible by concatenating the end-user cert with the intermediate cert into the same file, but that will require testing to be sure. That and trying to come up with easy to follow instructions for your clients to accomplish this could be a challenge too.
I agree that it's a worthwhile project, but I just wanted to point out the challenges real quick. Hopefully, I'll have more time to help figure it out someday. ;)
Pretty good source for certificate chains info:
https://community.openvpn.net/openvpn/wiki/Using_Certificate_Chains
Best regards.
--- Tom - SP2L
Sent from Xperia Z1 with AquaMail http://www.aqua-mail.com
On Tue, 15 Mar 2016, Cory (NQ1E) wrote:
However, OpenVPN doesn't natively support specifying a cert chain. It may still be possible by concatenating the end-user cert with the intermediate cert into the same file, but that will require testing to be sure.
That's tested, it does work. That's what the VPN server I set up is doing, and the instructions at http://wiki.ampr.org/wiki/AMPRNet_VPN for setting up a client do include steps for concatenating the end-user client cert with the intermediate cert.
You can either provide the intermediate certificates in the server-side CA bundle, or the client can have them bundled with the client CA.
A more user-friendly approach could be used too, the tQSL application used to have an option to export a PKCS#12 (p12) file, which includes the client's private key, client certificate, and the intermediate cert. OpenVPN can use a PKCS#12 file too instead of a separate key+certs file, but older versions would not pass intermediate certs from the p12 file to the server. I provided openvpn with a patch to add that feature, and it's included in more recent versions of the openvpn client, but I'm not sure if that made it to mainstream Linux distributions yet.
- Hessu
-
Cory (NQ1E) -
Heikki Hannikainen -
SP2L Tom -
Steve L