17 Mar
2016
17 Mar
'16
12:39 a.m.
Ok, so you're trying to generate a server
certificate for your VPN server.
I am trying to generate/gather all the files I need for the server
side so that when its done it works like yours. Where I don't have to
issue client keys, and all that. (Just a config file and the public
key ca.crt file). They can just follow the well documented steps in
the wiki that work for yours.
So I don't need to build a Certificate Signing Request after all?
For this step, we actually do not need *anything* from LotW/TQSL side (and
can not use any)! Just use any openvpn server setup guide's instructions
for setting up a CA and generating a server certificate out from that CA.
That CA cert is then given to the openvpn client, so that the client can
make sure it is talking to the correct server.
This is what I have done before. Builds a private root ca, and all the rest.
./clean-all
./build-ca
./build-key-server server
./build-key client1
./build-dh
The first line makes sure we start from scratch. The second generates
a key for the Certificate Authority (ca.crt and ca.key). The key for
the server itself is generated on the third line (server.crt,
server.key, and server.csr) . Repeat the forth line for each client
that needs to connect (client1.key, client1.csr, client.crt, etc).
Finally, we need the Diffie Hellman key as well, which is generated on
the fifth line (dh1024.pem).
In my server config file:
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
The LotW certificates are only used for authenticating
the client. The
server's "ca" config option points to the LotW root certs bundle. The
cleint's "ca" config option points to the private CA which signed the
server's certificate.
A paragraph ago I thought you said build ones own private root ca...
But it sounds like you are now saying I just copy:
C:\Documents and Settings\your-username\Application Data\TrustedQSL\certs\root
over to the server, rename it to ca.crt?
17 Mar
17 Mar
1:08 a.m.
New subject: OpenVPN
If you want to use LotW keys, you CAN NOT generaty any keys.
Let me motivate:
- LotW has a CA certificate, and its private key.
- using those, it generates some intermediate certificates, public and
private keys.
- using those intermediate certificates, it generates the public and
private keys for the user which are sent to him.
To generate user keys, you NEED the private keys of the intermediate
certificates, which you do not have. These are needed to sign the newly
generated keys.
To set up an encrypted communication channel, as in open VPN, each side
needs to have its own public AND private key, and either the public key of
the peer. To be able to trust the peer, meaning to certify it is the real
peer, one can either manually establish this trust (like manuaally
accepting the certificate in ssh on first connection), or check its
signature against a trusted intermediate certificate, which in turn can be
checked against the root certificate. To do this, you only need the public
certificate, not its private key.
These public ca and intermediate certificates are the ones distrbuted by
LotW.
This allows you to check the validity of a user certificate, but prevents
you from issuing your own (because you do not have their private keys).
3175
days inactive
3175
days old
1 comments
2 participants
participants (2)
-
marius@yo2loj.ro -
Steve L