Does anyone know if OH7LZB ever documented anywhere how to setup the server end of the OpenVPN that validates using the LoTW CA?
The server end is stock openvpn, so you may use the openvpn config instructions / documentation to set it up. Nothing fancy, .
I have and have been using a stock openvpn server with my own generated certificate authority, server keys. All is fine there.
I tried replacing the certificate authority with the amprnet-vpn-ca.crt (lotw) file, and all I get is TLS key handshake/negotiation failed messages when I try and connect. So there is something I am not understanding on if the server keys have to be built specific CA to that somehow?
Steve
The server won't automatically trust connections from callsign certificates because they aren't signed by the root CA directly.
The root CA signs a small number of subordinate intermediate CAs and those are the ones that actually sign certs for end users.
In order to bridge the chain of trust, the client must also supply the intermediate cert that signed the end user cert. It's been a long time since I've worked with openvpn, so I don't remember how it's supposed to be configured. It's either one of two ways:
1. There may be a config file option for supplying a separate certificate chain file which would just be a cert file with the intermediate in it.
2. If there's no option for a chain file, you may be able to concatenate both your end user cert and the intermediate into the same cert file for the client to read.
If I manage to get some time later, I'll see if I can research the correct method for you.
-Cory NQ1E
On Mon, 19 Oct 2015, Steve L wrote:
(Please trim inclusions from previous messages) _______________________________________________
Does anyone know if OH7LZB ever documented anywhere how to setup the server end of the OpenVPN that validates using the LoTW CA?
The server end is stock openvpn, so you may use the openvpn config instructions / documentation to set it up. Nothing fancy, .
I have and have been using a stock openvpn server with my own generated certificate authority, server keys. All is fine there.
I tried replacing the certificate authority with the amprnet-vpn-ca.crt (lotw) file, and all I get is TLS key handshake/negotiation failed messages when I try and connect. So there is something I am not understanding on if the server keys have to be built specific CA to that somehow?
The catch is that there are two or three CAs and two key+certificate pairs in the play:
1. The server needs to have its own certificate, for the server hostname, CN=vpnserver.yourdomain.com, which is signed by a CA that the client trusts. This is probably what you've had before. This is used by the client to make sure it's talking to the correct server. LoTW things are not used for this process, as they do not give out server CAs for DNS hostnames. This CA's sertificate is used as the cacert (trusted CA) by the client openvpn.
2. The client certificates, which come from LoTW. The LoTW root CA certificate(s?) need to be installed on the server ("ca lotw-ca-cert.pem").
3. The LoTW client certificate is not directly signed by the LoTW root CA, but another CA called an Intermediate CA (LoTW calls them "production CAs"), which have a shorter lifetime, and get rotated more often over time. Their root CA signs the intermediate CA certificate, which in turn signs the client certificates. The client gets the intermediate CA certificate in the client cert bundle from LoTW, and can then provide the intermediate certificate to the server when connecting.
The wiki page I wrote describes how to extract the client and intermediate certificates, and how they are concatenated to a single file, which is then given to the openvpn client "cert client-certs.pem", which presents both of them to the server.
http://wiki.ampr.org/index.php/AMPRNet_VPN
- Hessu
Am 19.10.2015 um 22:32 schrieb Heikki Hannikainen:
The catch is that there are two or three CAs and two key+certificate pairs in the play:
Not only there are intermediary CA's but also multiple Root CA's ?!! as I have pointed out in another posting.
73 oe1rsa
Ping! I have not received anything from the list since monday. I send this post as a test if there is a problem with the list.
oe1rsa
We're here. I would say this list is normally more quiet than active.
--David KI6ZHD
On 10/23/2015 09:24 AM, Roland Schwarz wrote:
(Please trim inclusions from previous messages) _______________________________________________ Ping! I have not received anything from the list since monday. I send this post as a test if there is a problem with the list.
oe1rsa
Am 23.10.2015 um 21:27 schrieb David Ranch:
We're here. I would say this list is normally more quiet than active.
Thank you for coming back, David. Obviously my last post didn't come so much as of a question so that someone took care.
I am still wondering if anyone can tell me which of the three LoTW root CA certificates is tested by OpenVPN, or if all three are being tested?
Since all three certificates can be downloaded and as such look "official" to me I am left with doubt that I can make my VPN work at all since I got a cert that is signed by a different CA than Heikki showed on the list.
Roland, oe1rsa
Hey Roland,
I am still wondering if anyone can tell me which of the three LoTW root CA certificates is tested by OpenVPN, or if all three are being tested?
Heikki Hannikainen previously mentioned in email that there are machine certs, the primary cert for the root CA, and an intermediate cert. He listed *three* specific bullet items in his email which correspond to each of the three certificates that you mentioned (not necessarily in that order though). So, though seemingly an overly complicated implementation of certificates in the behalf of the ARRL, you need to trust all three.
Since all three certificates can be downloaded and as such look "official" to me I am left with doubt that I can make my VPN work at all since I got a cert that is signed by a different CA than Heikki showed on the list.
Certs do get replaced from time to time and maybe they upgraded the machine cert recently. Dunno. Maybe Hessu (Heikki) could add links to specific certs he's been successful so that you can compare.
--David KI6ZHD
Hello David,
Am 24.10.2015 um 17:43 schrieb David Ranch:
Heikki Hannikainen previously mentioned in email that there are machine certs, the primary cert for the root CA, and an intermediate cert. He listed *three* specific bullet items in his email which correspond to each of the three certificates that you mentioned
Sorry, but I still do not understand. I tried to make a screenshot by means of a certifacte tool i.e. XCA. Please have a look at the attached screenshot.
From there you can see that a total of 9 certificates are in question,
not only three. You can also see the cert hierarchies.
Can you possibly explain to me how to deal with the three different root ca's?
Roland oe1rsa
Ok, attaching an image does not work on this list. I made a transcript, hopefully that one will get through ...
73 de oe1rsa
-
Cory (NQ1E) -
David Ranch -
Heikki Hannikainen -
Roland Schwarz -
Steve L