On Wed, 16 Mar 2016, Steve L wrote:

My callsign.tq6 is binary data.

It's actually a gzip compressed XML file:

$ gzip -dc OH7LZB.tq6|less <?xml version="1.0" encoding="UTF-8" ?> <tqsldata> <tqslcerts> <rootcert>-----BEGIN CERTIFICATE----- ...

However it looks like the root certificate is locate here: C:\Documents and Settings\your-username\Application Data\TrustedQSL\certs\root

I noticed it looks like three stacked into one file based on the begin/end markings.

Correct.

But from the link Tom shared, it looks like you don't have to do anything different like break them apart, with a chained vs single.

The "chained" thing is actually referring to something else than the multiple root certificates you found in this bundle. This file is a certificate bundle, since it contains multiple certificates. It's not a chain as such.

"Chained certificates" means that the root certificate signs an intermediate certificate, which then signs the end user's certificate (or another intermediate certificate). The chain then consists of the root, the intermediate, and the client cert. This is what LotW is doing.

LotW has multiple three root certificates. Those are the certs you found in this file. In addition to those three root certificates, there are intermediate certificates between the root certificate and the client's certificate. I think the intermediates are in the <cacert> blocks in the XML, between the roots and the user cert, but there could be more of them (not included here).

To validate an user certificate, the OpenVPN server first needs to have the root certificates it then trusts. The client presents its own certificate. Then, either the server needs to have a copy of the intermediate certificate, or the client needs to present the intermediate certificate. OpenVPN supports both approaches.

Then instructions on http://wiki.ampr.org/wiki/AMPRNet_VPN describe how to concatenate the client certificate with the intermediate certificate, so that the client can present both of them to the server, and the server then has the complete chain to work with.

Step one (./build-req server ) went ok however stuck at step two:,

root@test:/etc/openvpn/easy-rsa/2.0# ./build-key server pkitool: Need a readable ca.crt and ca.key in /etc/openvpn/easy-rsa/2.0/keys Try pkitool --initca to build a root certificate/key. root@test:/etc/openvpn/easy-rsa/2.0#

I simply copied the TQSL root file over to /etc/openvpn/easy-rsa/2.0/keys and renamed it ca.crt

Ok, so you're trying to generate a server certificate for your VPN server.

For this step, we actually do not need *anything* from LotW/TQSL side (and can not use any)! Just use any openvpn server setup guide's instructions for setting up a CA and generating a server certificate out from that CA. That CA cert is then given to the openvpn client, so that the client can make sure it is talking to the correct server.

For example, the instructions at http://wiki.ampr.org/wiki/AMPRNet_VPN include a step to download VPN configuration files for the client, and one of the files is amprnet-vpn-ca.crt, which is my private root CA which signed the server's certificate. It's referred by the openvpn client's config file:

ca amprnet-vpn-ca.crt

The LotW certificates are only used for authenticating the client. The server's "ca" config option points to the LotW root certs bundle. The cleint's "ca" config option points to the private CA which signed the server's certificate.

- Hessu, OH7LZB