Hi
I have installed an OpenVPN box working with LDAP auth with Novell (working great) and certificates to validate users.
It is working fine, but I have some doubts with the certs.
Every time I need to give access to a new user I follow the steps listed in the OpenVpn How to
- run "vars"
- run build-key %user%
After that process I copy the %user%.crt, %user%.key, ca.crt and the defaultconfig.ovpn (file with the client config).
Again, this works fine, but below my doubts
That cert works on every computer with any user.
So if I create a cert for a user, that user can copy this cert to give access to other people.
But I like to know if there is a way to attach a cert to a user or to a computer.
As You can see I don't have expertise using those certs, so any help is welcome.
Version 1.2.3-RELEASE
built on Sun Dec 6 23:21:36 EST 2009
undestanding rsa management
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
gladiatr72
- Forum Team
- Posts: 194
- Joined: Mon Dec 13, 2010 3:51 pm
- Location: Lawrence, KS
Re: undestanding rsa management
In short: no.
You've made an important decision in requiring user/password authentication by way of your LDAP service, but client certificates are only as secure as the clients themselves. Unfortunately, it is not an issue that can be solved technically
A similar, if not more important problem that must be addressed periodically, is the shared DH key. It's a functionally fantastic idea: If you do not have this key, you cannot even communicate with the openvpn daemon; however, the more clients have the key the less meaningful its protection becomes.
If you are concerned with the trustworthiness of client certificate holders, you could implement a policy that shortens the lifespan of the client certificates. Without careful planning and customer education, this can become a management nightmare, but if the data behind your firewalls is important enough, such planning would be worth it.
Regards,
Stephen
You've made an important decision in requiring user/password authentication by way of your LDAP service, but client certificates are only as secure as the clients themselves. Unfortunately, it is not an issue that can be solved technically
A similar, if not more important problem that must be addressed periodically, is the shared DH key. It's a functionally fantastic idea: If you do not have this key, you cannot even communicate with the openvpn daemon; however, the more clients have the key the less meaningful its protection becomes.
If you are concerned with the trustworthiness of client certificate holders, you could implement a policy that shortens the lifespan of the client certificates. Without careful planning and customer education, this can become a management nightmare, but if the data behind your firewalls is important enough, such planning would be worth it.
Regards,
Stephen
[..]I used to think it was awful that life was so unfair. [...]Wouldn't it be much worse if life were fair, and all the terrible things that happen to us come because we actually deserve them? -Marcus Cole