16 Mar
2016
16 Mar
'16
2:47 p.m.
My callsign.tq6 is binary data.
However it looks like the root certificate is locate here:
C:\Documents and Settings\your-username\Application Data\TrustedQSL\certs\root
I noticed it looks like three stacked into one file based on the
begin/end markings.
But from the link Tom shared, it looks like you don't have to do
anything different like break them apart, with a chained vs single.
Step one (./build-req server ) went ok however stuck at step two:,
root@test:/etc/openvpn/easy-rsa/2.0# ./build-key server
pkitool: Need a readable ca.crt and ca.key in /etc/openvpn/easy-rsa/2.0/keys
Try pkitool --initca to build a root certificate/key.
root@test:/etc/openvpn/easy-rsa/2.0#
I simply copied the TQSL root file over to
/etc/openvpn/easy-rsa/2.0/keys and renamed it ca.crt
So I am guessing I need to split each certificate into its own file?
Is there anyway to support more than one?
16 Mar
16 Mar
3:28 p.m.
New subject: OpenVPN
On Linux, KDE, KWrite will show
PLAIN content of *.tq6 file
allowing copy anything needed
Similarly, MidnightCommander
in VIEW mode (F3) will do the same.
Best regards.
---
Tom - SP2L
Sent from Xperia Z1 with AquaMail
http://www.aqua-mail.com
6:25 p.m.
New subject: OpenVPN
On Wed, 16 Mar 2016, Steve L wrote:
My callsign.tq6 is binary data.
It's actually a gzip compressed XML file:
$ gzip -dc OH7LZB.tq6|less
<?xml version="1.0" encoding="UTF-8" ?>
<tqsldata>
<tqslcerts>
<rootcert>-----BEGIN CERTIFICATE-----
...
However it looks like the root certificate is locate
here:
C:\Documents and Settings\your-username\Application Data\TrustedQSL\certs\root
I noticed it looks like three stacked into one file based on the
begin/end markings.
Correct.
But from the link Tom shared, it looks like you
don't have to do
anything different like break them apart, with a chained vs single.
The "chained" thing is actually referring to something else than the
multiple root certificates you found in this bundle. This file is a
certificate bundle, since it contains multiple certificates. It's not a
chain as such.
"Chained certificates" means that the root certificate signs an
intermediate certificate, which then signs the end user's certificate (or
another intermediate certificate). The chain then consists of the root,
the intermediate, and the client cert. This is what LotW is doing.
LotW has multiple three root certificates. Those are the certs you found
in this file. In addition to those three root certificates, there are
intermediate certificates between the root certificate and the client's
certificate. I think the intermediates are in the <cacert> blocks in the
XML, between the roots and the user cert, but there could be more of them
(not included here).
To validate an user certificate, the OpenVPN server first needs to have
the root certificates it then trusts. The client presents its own
certificate. Then, either the server needs to have a copy of the
intermediate certificate, or the client needs to present the intermediate
certificate. OpenVPN supports both approaches.
Then instructions on http://wiki.ampr.org/wiki/AMPRNet_VPN describe how to
concatenate the client certificate with the intermediate certificate, so
that the client can present both of them to the server, and the server
then has the complete chain to work with.
Step one (./build-req server ) went ok however stuck
at step two:,
root@test:/etc/openvpn/easy-rsa/2.0# ./build-key server
pkitool: Need a readable ca.crt and ca.key in /etc/openvpn/easy-rsa/2.0/keys
Try pkitool --initca to build a root certificate/key.
root@test:/etc/openvpn/easy-rsa/2.0#
I simply copied the TQSL root file over to
/etc/openvpn/easy-rsa/2.0/keys and renamed it ca.crt
Ok, so you're trying to generate a server certificate for your VPN server.
For this step, we actually do not need *anything* from LotW/TQSL side (and
can not use any)! Just use any openvpn server setup guide's instructions
for setting up a CA and generating a server certificate out from that CA.
That CA cert is then given to the openvpn client, so that the client can
make sure it is talking to the correct server.
For example, the instructions at http://wiki.ampr.org/wiki/AMPRNet_VPN
include a step to download VPN configuration files for the client, and one
of the files is amprnet-vpn-ca.crt, which is my private root CA which
signed the server's certificate. It's referred by the openvpn client's
config file:
ca amprnet-vpn-ca.crt
The LotW certificates are only used for authenticating the client. The
server's "ca" config option points to the LotW root certs bundle. The
cleint's "ca" config option points to the private CA which signed the
server's certificate.
- Hessu, OH7LZB
3173
days inactive
3173
days old
2 comments
3 participants
participants (3)
-
Heikki Hannikainen -
SP2L Tom -
Steve L