19 Oct
2015
19 Oct
'15
2:34 p.m.
>>> Does anyone know if OH7LZB ever documented
anywhere how to setup the
>>> server end of the OpenVPN that validates using the LoTW CA?
>The server end is stock openvpn, so you may use the
openvpn config
>instructions / documentation to set it up. Nothing fancy, .
I have and have been using a stock openvpn server with my own
generated certificate
authority, server keys. All is fine there.
I tried replacing the certificate authority with the
amprnet-vpn-ca.crt (lotw) file, and all I get is TLS key
handshake/negotiation failed messages when I try and connect. So
there is something I am not understanding on if the server keys have
to be built specific CA to that somehow?
Steve
19 Oct
19 Oct
3:49 p.m.
New subject: Accessing AMPRNet via VPN was Services hosted on AMPRNet
The server won't automatically trust connections from callsign certificates
because they aren't signed by the root CA directly.
The root CA signs a small number of subordinate intermediate CAs and those
are the ones that actually sign certs for end users.
In order to bridge the chain of trust, the client must also supply the
intermediate cert that signed the end user cert. It's been a long time
since I've worked with openvpn, so I don't remember how it's supposed to be
configured. It's either one of two ways:
1. There may be a config file option for supplying a separate certificate
chain file which would just be a cert file with the intermediate in it.
2. If there's no option for a chain file, you may be able to concatenate
both your end user cert and the intermediate into the same cert file for
the client to read.
If I manage to get some time later, I'll see if I can research the correct
method for you.
-Cory
NQ1E
4:32 p.m.
New subject: Amprnet VPN setup, root CAs
On Mon, 19 Oct 2015, Steve L wrote:
(Please trim inclusions from previous messages)
_______________________________________________
The catch is that there are two or three CAs and two key+certificate pairs
in the play:
1. The server needs to have its own certificate, for the server hostname,
CN=vpnserver.yourdomain.com, which is signed by a CA that the client
trusts. This is probably what you've had before. This is used by the
client to make sure it's talking to the correct server. LoTW things are
not used for this process, as they do not give out server CAs for DNS
hostnames. This CA's sertificate is used as the cacert (trusted CA) by the
client openvpn.
2. The client certificates, which come from LoTW. The LoTW root CA
certificate(s?) need to be installed on the server ("ca
lotw-ca-cert.pem").
3. The LoTW client certificate is not directly signed by the LoTW root CA,
but another CA called an Intermediate CA (LoTW calls them "production
CAs"), which have a shorter lifetime, and get rotated more often
over time. Their root CA signs the intermediate CA certificate, which in
turn signs the client certificates. The client gets the intermediate CA
certificate in the client cert bundle from LoTW, and can then provide the
intermediate certificate to the server when connecting.
The wiki page I wrote describes how to extract the client and intermediate
certificates, and how they are concatenated to a single file, which is
then given to the openvpn client "cert client-certs.pem", which presents
both of them to the server.
http://wiki.ampr.org/index.php/AMPRNet_VPN
- Hessu
>>> Does anyone know if OH7LZB ever
documented anywhere how to setup the
>>> server end of the OpenVPN that validates using the LoTW CA?
> The server end is stock openvpn, so you may
use the openvpn config
> instructions / documentation to set it up. Nothing fancy, .
I have and have been using a stock openvpn server with my own generated
certificate authority, server keys. All is fine there.
I tried replacing the certificate authority with the amprnet-vpn-ca.crt
(lotw) file, and all I get is TLS key handshake/negotiation failed
messages when I try and connect. So there is something I am not
understanding on if the server keys have to be built specific CA to that
somehow? 
4:38 p.m.
New subject: Amprnet VPN setup, root CAs
Am 19.10.2015 um 22:32 schrieb Heikki Hannikainen:
The catch is that there are two or three CAs and two
key+certificate
pairs in the play:
Not only there are intermediary CA's but also multiple Root CA's ?!! as
I have pointed out in another posting.
73 oe1rsa
--
_________________________________________
_ _ | Roland Schwarz
|_)(_ |
| \__) | mailto:roland.schwarz@blackspace.at
________| http://www.blackspace.at
23 Oct
23 Oct
12:24 p.m.
New subject: Amprnet VPN setup, root CAs
Ping!
I have not received anything from the list since monday. I send this
post as a test if there is a problem with the list.
oe1rsa
--
_________________________________________
_ _ | Roland Schwarz
|_)(_ |
| \__) | mailto:roland.schwarz@blackspace.at
________| http://www.blackspace.at
3:27 p.m.
New subject: Amprnet VPN setup, root CAs
We're here. I would say this list is normally more quiet than active.
--David
KI6ZHD
On 10/23/2015 09:24 AM, Roland Schwarz wrote:
(Please trim inclusions from previous messages)
_______________________________________________
Ping!
I have not received anything from the list since monday. I send this
post as a test if there is a problem with the list.
oe1rsa
24 Oct
24 Oct
5:39 a.m.
New subject: Amprnet VPN setup, root CAs
Am 23.10.2015 um 21:27 schrieb David Ranch:
We're here. I would say this list is normally
more quiet than active.
Thank you for coming back, David.
Obviously my last post didn't come so much as of a question so that
someone took care.
I am still wondering if anyone can tell me which of the three LoTW root
CA certificates is tested by OpenVPN, or if all three are being tested?
Since all three certificates can be downloaded and as such look
"official" to me I am left with doubt that I can make my VPN work at all
since I got a cert that is signed by a different CA than Heikki showed
on the list.
Roland, oe1rsa
--
_________________________________________
_ _ | Roland Schwarz
|_)(_ |
| \__) | mailto:roland.schwarz@blackspace.at
________| http://www.blackspace.at
11:43 a.m.
New subject: Amprnet VPN setup, root CAs
Hey Roland,
I am still wondering if anyone can tell me which of
the three LoTW
root CA certificates is tested by OpenVPN, or if all three are being
tested?
Heikki Hannikainen previously mentioned in email that there are machine
certs, the primary cert for the root CA, and an intermediate cert. He
listed *three* specific bullet items in his email which correspond to
each of the three certificates that you mentioned (not necessarily in
that order though). So, though seemingly an overly complicated
implementation of certificates in the behalf of the ARRL, you need to
trust all three.
Since all three certificates can be downloaded and as
such look
"official" to me I am left with doubt that I can make my VPN work at
all since I got a cert that is signed by a different CA than Heikki
showed on the list.
Certs do get replaced from time to time and maybe they upgraded the
machine cert recently. Dunno. Maybe Hessu (Heikki) could add links to
specific certs he's been successful so that you can compare.
--David
KI6ZHD
3:20 p.m.
New subject: Amprnet VPN setup, root CAs
Hello David,
Am 24.10.2015 um 17:43 schrieb David Ranch:
Heikki Hannikainen previously mentioned in email that
there are machine
certs, the primary cert for the root CA, and an intermediate cert. He
listed *three* specific bullet items in his email which correspond to
each of the three certificates that you mentioned
Sorry, but I still do not understand. I tried to make a screenshot by
means of a certifacte tool i.e. XCA. Please have a look at the attached
screenshot.
From there you can see that a total of 9 certificates
are in question,
not only three. You can also see the cert hierarchies.
Can you possibly explain to me how to deal with the three different root
ca's?
Roland oe1rsa
--
_________________________________________
_ _ | Roland Schwarz
|_)(_ |
| \__) | mailto:roland.schwarz@blackspace.at
________| http://www.blackspace.at
25 Oct
25 Oct
7:09 a.m.
New subject: Amprnet VPN setup, root CAs
Ok, attaching an image does not work on this list.
I made a transcript, hopefully that one will get through ...
73 de oe1rsa
--
_________________________________________
_ _ | Roland Schwarz
|_)(_ |
| \__) | mailto:roland.schwarz@blackspace.at
________| http://www.blackspace.at
3315
days inactive
3321
days old
9 comments
5 participants
participants (5)
-
Cory (NQ1E) -
David Ranch -
Heikki Hannikainen -
Roland Schwarz -
Steve L