Ok, so you're trying to generate a server certificate for your VPN server.
I am trying to generate/gather all the files I need for the server side so that when its done it works like yours. Where I don't have to issue client keys, and all that. (Just a config file and the public key ca.crt file). They can just follow the well documented steps in the wiki that work for yours.
So I don't need to build a Certificate Signing Request after all?
For this step, we actually do not need *anything* from LotW/TQSL side (and can not use any)! Just use any openvpn server setup guide's instructions for setting up a CA and generating a server certificate out from that CA. That CA cert is then given to the openvpn client, so that the client can make sure it is talking to the correct server.
This is what I have done before. Builds a private root ca, and all the rest.
./clean-all ./build-ca ./build-key-server server ./build-key client1 ./build-dh
The first line makes sure we start from scratch. The second generates a key for the Certificate Authority (ca.crt and ca.key). The key for the server itself is generated on the third line (server.crt, server.key, and server.csr) . Repeat the forth line for each client that needs to connect (client1.key, client1.csr, client.crt, etc). Finally, we need the Diffie Hellman key as well, which is generated on the fifth line (dh1024.pem).
In my server config file: ca ca.crt cert server.crt key server.key dh dh1024.pem
The LotW certificates are only used for authenticating the client. The server's "ca" config option points to the LotW root certs bundle. The cleint's "ca" config option points to the private CA which signed the server's certificate.
A paragraph ago I thought you said build ones own private root ca...
But it sounds like you are now saying I just copy: C:\Documents and Settings\your-username\Application Data\TrustedQSL\certs\root over to the server, rename it to ca.crt?
If you want to use LotW keys, you CAN NOT generaty any keys.
Let me motivate:
- LotW has a CA certificate, and its private key. - using those, it generates some intermediate certificates, public and private keys. - using those intermediate certificates, it generates the public and private keys for the user which are sent to him.
To generate user keys, you NEED the private keys of the intermediate certificates, which you do not have. These are needed to sign the newly generated keys.
To set up an encrypted communication channel, as in open VPN, each side needs to have its own public AND private key, and either the public key of the peer. To be able to trust the peer, meaning to certify it is the real peer, one can either manually establish this trust (like manuaally accepting the certificate in ssh on first connection), or check its signature against a trusted intermediate certificate, which in turn can be checked against the root certificate. To do this, you only need the public certificate, not its private key. These public ca and intermediate certificates are the ones distrbuted by LotW. This allows you to check the validity of a user certificate, but prevents you from issuing your own (because you do not have their private keys).
-
marius@yo2loj.ro -
Steve L