draft HOWTO "Use a Windows CA with OpenVPN"

This forum is for admins who are looking to build or expand their OpenVPN setup.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See https://forums.openvpn.net/viewtopic.php?f=30&t=21589 for an example.
libove
OpenVPN User
Posts: 24
Joined: Tue Oct 12, 2010 3:48 am

draft HOWTO "Use a Windows CA with OpenVPN"

Postby libove » Tue Oct 12, 2010 4:24 am

At this link:

http://www.felines.org/OpenVPN-Windows_CA-Instructions.htm

.. I've posted a first draft of a "How to" document describing a way to use a Windows "Certificate Services" provided Certificate Authority - built-in to Windows Servers, and assuming a Domain context - as the CA for OpenVPN Server and Clients.

I'd appreciate feedback and suggestions for improving the document, so that I can get it to a point where it should join the Tutorials.

One shortcoming I know in my current method is that, since OpenVPN appears to trust *all* certificates signed by the "root" CA whose certificate is referenced in the OpenVPN Server's config .ovpn file, I really should suggest using an intermediate CA created solely for OpenVPN purposes (unless of course the Domain manager wants anyone who has any certificate issued by his Domain's CA to be able to authenticate to his OpenVPN). It would be quite nice if OpenVPN supported an option to allow only certificates which are both signed by a particular CA and have a particular extension / particular DN element, to avoid this need for an intermediate CA. (OpenVPN authors, what do you think?)

Polite and informative comments will be welcomed and thanked. Rude name calling, even if I have indeed made a stupid security error (as it has been a decade since I ran an enterprise Entrust PKI and a bunch of VPN servers), will be ignored, so don't waste your time.

Thanks!
Jay

zespri
OpenVpn Newbie
Posts: 5
Joined: Fri Oct 08, 2010 6:30 pm

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby zespri » Wed Oct 13, 2010 9:04 am

Many images on the page do not exist. To give an example: http://www.felines.org/OpenVPN-Windows_ ... age028.jpg

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby krzee » Wed Oct 13, 2010 8:25 pm

whats wrong with making an intermediate CA?
(or even a different CA all-together than what the rest of the business uses)
i will make this sticky
I would like to see this make it to tutorials too, people should have options when it comes to how they choose to manage their PKI
:mrgreen:

libove
OpenVPN User
Posts: 24
Joined: Tue Oct 12, 2010 3:48 am

Re: missing images

Postby libove » Wed Oct 13, 2010 9:09 pm

Zespree, thanks - turns out my upload of the document's subsidiary files hadn't completed successfully. That's been fixed now.
-Jay

libove
OpenVPN User
Posts: 24
Joined: Tue Oct 12, 2010 3:48 am

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby libove » Wed Oct 13, 2010 9:26 pm

krzee wrote:whats wrong with making an intermediate CA?
(or even a different CA all-together than what the rest of the business uses)


I guess you're asking about my request to the OpenVPN authors to give flexibility about which specific certificates issued by a particular CA to trust for OpenVPN client authentication?

There's nothing "wrong" with an intermediate CA, for those environments which do not object to the complexity of having an intermediate CA. By the same token, there is nothing wrong with the OpenVPN documentation's recommendation of an off-line master CA, but only very large/ sophisticated organizations do that, again because of the complexity.

As far as I can tell, on a Windows Server 2008 (original edition, which is what mine happens to be - I don't know if this has changed on Windows Server 2008R2), you cannot have two CAs on one single server. So there would be an additional server cost to having an intermediate CA.

For very small environments, this is a burden, which would not be necessitated by OpenVPN if OpenVPN offered the option to restrict which certificates issued by a particuar CA could be used for OpenVPN authentication to certificates containing a specific DN path (e.g. OU=OpenVPN Authentication) and/or contained a particular certificate purpose extension (not sure if an existing one would do e.g. client authentication, or if that is too-commonly incorrectly included in certificates issued to users).


Regarding having an altogether different CA (which is what OpenVPN encourages by default), I do think there is something wrong with that idea. It not only brings complexity, the default OpenSSL self-signed CA requires more infrastructure (distributing the new CA's certificate), and is much less functional than a commercial CA (no CRL distribution point, no certificate auto-re-enrollment at end-of-life) and so is much more likely to be managed insecurely.


Please continue with the feedback - let's get this document really useful to people!
(And, politely, please do tell me where I've totally %$#%$ed up, because I've surely got something wrong, missed a security nit, or in some other way given bad advice(TM) which should be corrected before this really becomes a tutorial! Thanks!).
-Jay

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby krzee » Fri Oct 15, 2010 12:24 pm

libove wrote: By the same token, there is nothing wrong with the OpenVPN documentation's recommendation of an off-line master CA, but only very large/ sophisticated organizations do that, again because of the complexity.


sophisticated? hell, i do that for my VPNs, it is far from sophisticated to have a weak computer hanging around with no network connection

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby krzee » Fri Oct 15, 2010 12:36 pm

libove wrote:As far as I can tell, on a Windows Server 2008 (original edition, which is what mine happens to be - I don't know if this has changed on Windows Server 2008R2), you cannot have two CAs on one single server. So there would be an additional server cost to having an intermediate CA.

Sounds like a shortcoming in the windows CA software.

libove wrote:or contained a particular certificate purpose extension (not sure if an existing one would do e.g. client authentication, or if that is too-commonly incorrectly included in certificates issued to users).

ns-cert-type client|server
or
remote-cert-tls client|server

libove wrote:Regarding having an altogether different CA (which is what OpenVPN encourages by default), I do think there is something wrong with that idea. It not only brings complexity, the default OpenSSL self-signed CA requires more infrastructure (distributing the new CA's certificate), and is much less functional than a commercial CA (no CRL distribution point, no certificate auto-re-enrollment at end-of-life) and so is much more likely to be managed insecurely.

I do not see how this adds complexity. Yes you must distribute the CA cert, but the CA must also sign and distribute the client's cert, so it adds nothing to hand over the ca cert at the same time. The CRL only needs to be accessed by the server.
auto-re-enrollment sounds like it would make something easier to be managed insecurely.

libove wrote:Please continue with the feedback - let's get this document really useful to people!
(And, politely, please do tell me where I've totally %$#%$ed up, because I've surely got something wrong, missed a security nit, or in some other way given bad advice(TM) which should be corrected before this really becomes a tutorial! Thanks!).
-Jay


Right on, and thanks for making a writeup to help people... but since I do not use windows I will not be able to follow along / test stuff.

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby krzee » Mon Oct 25, 2010 3:27 pm

libove wrote: It would be quite nice if OpenVPN supported an option to allow only certificates which are both signed by a particular CA and have a particular extension / particular DN element, to avoid this need for an intermediate CA. (OpenVPN authors, what do you think?)


I just realized, you CAN do this (and anything else along those lines) with a tls-verify script

libove
OpenVPN User
Posts: 24
Joined: Tue Oct 12, 2010 3:48 am

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby libove » Tue Oct 26, 2010 10:51 pm

Thanks krzee - that's a great pointer!

I've spent some hours working on this, and I've been frustrated, as follows:

Whether it's a Microsoft thing of an X.509 standard thing I'm not sure, but-
1. the OU fields do not seem to make it in to the actual certificate, so looking for OU="OpenVPN dept" doesn't seem to be possible
2. the CN field length limit, despite a MS document saying it is 64 characters (http://msdn.microsoft.com/en-us/library ... dname.aspx), seems to actually be 40 characters (in the Windows 7 MMC Certificates snap-in Request form), and anyway since FQDNs can be at least 63 characters (up to 255 really, I think) we can't make the CN="wkstn.domain.com OpenVPN cert" - we'd too often run out of characters.

So, how to get something in to the certificate, without running in to length limits, so that the something can be checked by a tls-verify script on the server?

Cheers,
Jay

p.s. Also flummoxed by how to get whitespace embedded in the path to the tls-verify script in the server.ovpn file on Windows. Whereas "C:\\Program Files\\..." works okay for config file paths, I couldn't find any combination of ", \", "", "\ ", etc, which would survive the openve() or system() call... I keep getting errors about how the program "C:\Program" doesn't exist. I've been testing, in the interim, with the tls-verify script directly in C:\ but that can't stand for production of course. Thanks.

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby krzee » Tue Oct 26, 2010 11:26 pm

libove wrote:Thanks krzee - that's a great pointer!

you're welcome
1. the OU fields do not seem to make it in to the actual certificate, so looking for OU="OpenVPN dept" doesn't seem to be possible

make your script echo out $2 and see what you have to play with
2. the CN field length limit, despite a MS document saying it is 64 characters ..seems to actually be 40 characters

So, how to get something in to the certificate, without running in to length limits, so that the something can be checked by a tls-verify script on the server?

you dont HAVE to choose such a long naming system... Nothing in the certificate HAS to be the hostname


p.s. Also flummoxed by how to get whitespace embedded in the path to the tls-verify script in the server.ovpn file on Windows. Whereas "C:\\Program Files\\..." works okay for config file paths, I couldn't find any combination of ", \", "", "\ ", etc, which would survive the openve() or system() call... I keep getting errors about how the program "C:\Program" doesn't exist. I've been testing, in the interim, with the tls-verify script directly in C:\ but that can't stand for production of course. Thanks.

cd "C:\\Program Files\\..." (or "C:/Program Files/...")
tls-verify "scriptfile"

Hope that helps

libove
OpenVPN User
Posts: 24
Joined: Tue Oct 12, 2010 3:48 am

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby libove » Wed Oct 27, 2010 12:18 am

$2 passed to the tls-verify is only the CN.
The environment variables hold a few other X509_$n_fieldnames, but nothing to uniquely identify the client.

Indeed, the CN isn't required to be the FQDN. So a workaround is to put something other than what I want in there to accomodate technology limitations... but I don't like being limited by technology :-)

About the whitespace in paths... WOW. I never even considered the possibility of a "CD" directive in the config file... Okay, that worked...

More later.
Thanks again.

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby krzee » Wed Oct 27, 2010 12:27 am

http://openvpn.net/index.php/open-sourc ... .html#lbAT
maybe this can help
tls_id_{n}
A series of certificate fields from the remote peer, where n is the verification level. Only set for TLS connections. Set prior to execution of --tls-verify script.

X509_{n}_{subject_field}
An X509 subject field from the remote peer certificate, where n is the verification level. Only set for TLS connections. Set prior to execution of --tls-verify script. This variable is similar to tls_id_{n} except the component X509 subject fields are broken out, and no string remapping occurs on these field values (except for remapping of control characters to "_"). For example, the following variables would be set on the OpenVPN server using the sample client certificate in sample-keys (client.crt). Note that the verification level is 0 for the client certificate and 1 for the CA certificate.

libove
OpenVPN User
Posts: 24
Joined: Tue Oct 12, 2010 3:48 am

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby libove » Wed Oct 27, 2010 2:38 am

Yeah, I looked at the tls_$n_* and x509_$n_* variables. I had already coded my tls-verify script to open a debug log file and dump the entire environment, in hopes of finding some juicy nuggets of data in there. Not much luck.

Here's what I got (with some irrelevant environment variables removed for brevity, with $n=1 and $n=0 level outputs merged for convenience):

Environment contains:
X509_1_DC=AD3
X509_1_CN=AD3-RESET7-CA
X509_0_CN=MW-CLT-1.AD3.felines.org

tls_id_1=/DC=org/DC=felines/DC=AD3/CN=AD3-RESET7-CA
tls_id_0=/CN=MW-CLT-1.AD3.felines.org
tls_serial_1=-1
tls_serial_0=-1

script_type=tls-verify

daemon_log_redirect=1
PROGRAMFILES=C:\Program Files
verb=5
OS=Windows_NT
LOCALAPPDATA=C:\Windows\system32\config\systemprofile\AppData\Local
PWD=/cygdrive/c/Program Files/OpenVPN/bin
nodosfilewarning=2
dev=OpenVPN Adapter #1
SHLVL=1
untrusted_ip=192.168.255.38
FP_NO_HOST_CHECK=NO
route_network_1=10.8.0.0
PATH=...
proto_1=udp
route_gateway_1=10.8.0.2
local_port_1=1194
daemon_start_time=1288174781
TEMP=/cygdrive/c/Windows/TEMP
ifconfig_local=10.8.0.1
SYSTEMROOT=C:\WINDOWS
ifconfig_remote=10.8.0.2
remote_port_1=1194
daemon_pid=5704
untrusted_port=64170
WINDIR=C:\Windows
daemon=0
ProgramData=C:\ProgramData
local_1=192.168.255.4
route_vpn_gateway=10.8.0.2
_=/usr/bin/perl
route_netmask_1=255.255.255.0
!C:=C:\Program Files\OpenVPN\bin
COMPUTERNAME=RESET7
config=server.ovpn
TMP=/cygdrive/c/Windows/TEMP
script_context=init

So, not enough X509 or TLS variables to figure out a anything beyond the CN about the client :-(

Am I doing something wrong? That is, should there be more, and/or more interesting, X509 and TLS variables set in the environment?

As a reminder in case it matters, this is a Windows Server 2008, 32-bit, original edition, Domain Controller, Certificate Authority, running the OpenVPN 2.1.3 i686-pc-mingw32 [SSL] [LZO2] [PKCS11] built on Aug 20 2010 community binary. The version of PERL on the system is from cygwin_nt-5.1 reini 1.7.5(0.22553) 2010-04-12 19:07 i686 cygwin, v5.10.1 (*) built for i686-cygwin-thread-multi-64int with 13 registered patches.

User avatar
krzee
Forum Team
Posts: 729
Joined: Fri Aug 29, 2008 5:42 pm

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby krzee » Sun Nov 28, 2010 7:30 am


libove
OpenVPN User
Posts: 24
Joined: Tue Oct 12, 2010 3:48 am

Re: draft HOWTO "Use a Windows CA with OpenVPN"

Postby libove » Sun Nov 28, 2010 8:11 am

krzee wrote:http://article.gmane.org/gmane.network.openvpn.devel/4185
looks like you weren't alone!


:mrgreen:


Return to “Server Administration”

Who is online

Users browsing this forum: No registered users and 4 guests