Page 1 of 1
Use system ca certificates
Posted: Thu Feb 24, 2022 9:06 am
by eingemaischt
Hi,
is there any option to use the "system certificates" instead of locally provided ones?
I can create and use x509 SSL vertificates which CAs are included in the system stores...
Furthermore can I configure the server to deliver intermediate certificates as well?
Re: Use system ca certificates
Posted: Tue Mar 01, 2022 8:30 am
by eingemaischt
BTW: I am using the android app as client - but the function would be useful in the linux/windows client as well....
Re: Use system ca certificates
Posted: Tue Mar 01, 2022 2:22 pm
by TinCanTech
eingemaischt wrote: ↑Thu Feb 24, 2022 9:06 am
I can create and use x509 SSL vertificates which CAs are included in the system stores..
So can anybody else and then they can use your VPN without your permission.
Re: Use system ca certificates
Posted: Thu Mar 10, 2022 2:11 pm
by eingemaischt
Hi,
sorry, I was not clear enough: I want to use the system ca store for the authentication of the server to prevent MITM attacks.
Re: Use system ca certificates
Posted: Thu Mar 10, 2022 4:10 pm
by TinCanTech
I don't know what you really want. Just use Easy-RSA3 to generate your certificates.
Re: Use system ca certificates
Posted: Thu Apr 14, 2022 8:25 am
by eingemaischt
Sorry. I do have the following problem:
We have about 60 Tablets with openvpn connect.
Our VPN-Server uses a x509 certificate from an "official" (as in: ca-certificate installed on android by default) PKI. We also enrolled the ca certificate with our profile. The authentication of the client is done by pre shared key.
But at the end of 2022 we'll have to change that ca certificate.
We now have three alternatives:
1) Make the app use the androids certificate store for the ca certificate instead. This would be great for transition, because we can roll out the config without changing anything on the server - and without the need to change all configs on all tablets simutaneously.
2) Make the app use a new ca certificate. This would mean that we have to change all configs on all tables simutaneously - or to create a second VPN server during the transition.
3) Make the app accept two ca certificates - all the advantages from 1) + we would be able to change to a self signed cert with LOOOONG lifetime...