Hi,
is there any option to use the "system certificates" instead of locally provided ones?
I can create and use x509 SSL vertificates which CAs are included in the system stores...
Furthermore can I configure the server to deliver intermediate certificates as well?
Use system ca certificates
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Feb 24, 2022 9:00 am
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Feb 24, 2022 9:00 am
Re: Use system ca certificates
BTW: I am using the android app as client - but the function would be useful in the linux/windows client as well....
-
- OpenVPN Protagonist
- Posts: 11138
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Use system ca certificates
So can anybody else and then they can use your VPN without your permission.eingemaischt wrote: ↑Thu Feb 24, 2022 9:06 amI can create and use x509 SSL vertificates which CAs are included in the system stores..
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Feb 24, 2022 9:00 am
Re: Use system ca certificates
Hi,
sorry, I was not clear enough: I want to use the system ca store for the authentication of the server to prevent MITM attacks.
sorry, I was not clear enough: I want to use the system ca store for the authentication of the server to prevent MITM attacks.
-
- OpenVPN Protagonist
- Posts: 11138
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Use system ca certificates
I don't know what you really want. Just use Easy-RSA3 to generate your certificates.
-
- OpenVpn Newbie
- Posts: 5
- Joined: Thu Feb 24, 2022 9:00 am
Re: Use system ca certificates
Sorry. I do have the following problem:
We have about 60 Tablets with openvpn connect.
Our VPN-Server uses a x509 certificate from an "official" (as in: ca-certificate installed on android by default) PKI. We also enrolled the ca certificate with our profile. The authentication of the client is done by pre shared key.
But at the end of 2022 we'll have to change that ca certificate.
We now have three alternatives:
1) Make the app use the androids certificate store for the ca certificate instead. This would be great for transition, because we can roll out the config without changing anything on the server - and without the need to change all configs on all tablets simutaneously.
2) Make the app use a new ca certificate. This would mean that we have to change all configs on all tables simutaneously - or to create a second VPN server during the transition.
3) Make the app accept two ca certificates - all the advantages from 1) + we would be able to change to a self signed cert with LOOOONG lifetime...
We have about 60 Tablets with openvpn connect.
Our VPN-Server uses a x509 certificate from an "official" (as in: ca-certificate installed on android by default) PKI. We also enrolled the ca certificate with our profile. The authentication of the client is done by pre shared key.
But at the end of 2022 we'll have to change that ca certificate.
We now have three alternatives:
1) Make the app use the androids certificate store for the ca certificate instead. This would be great for transition, because we can roll out the config without changing anything on the server - and without the need to change all configs on all tablets simutaneously.
2) Make the app use a new ca certificate. This would mean that we have to change all configs on all tables simutaneously - or to create a second VPN server during the transition.
3) Make the app accept two ca certificates - all the advantages from 1) + we would be able to change to a self signed cert with LOOOONG lifetime...