Simplify certificate management of large organizations with DANE

This is where we can discuss what we would like to see added or changed in OpenVPN.
Post Reply
renne
OpenVpn Newbie
Posts: 2
Joined: Thu Aug 15, 2013 1:17 pm

Simplify certificate management of large organizations with DANE

Post by renne » Wed Oct 31, 2018 8:17 pm

Hi,

currently admins have the hassle to set up a certificate authority and distribute certificates to client machines.

DNS-based Authentication of Named Entities (IETF RFC 6698) allows to use self-signed certificates and publish the hashes of the certificates via DNSSEC-secured TLSA-DNS resource records. OpenVPN-servers and -clients can generate their self-signed certificates themself. The operator of an OpenVPN-client would communicate the hash of the self-signed certificate to the DNS administrator once. When a certificate expires the OpenVPN-client can use the old certificate to send the hash of the new certificate to the OpenVPN-server which can update the TLSA-RRs of the OpenVPN-client and itself via dynamic DNS (IETF RFC 2136/RFC 2931).

OpenSSL already provides functions for DANE-validation.

ToDo:
OpenVPN-server:
- Generate and renew self-signed certificates automatically
- Receive hashes of re-newed certificates from OpenVPN-clients
- Update TLSA DNS-RRs via dynamic DNS (IETF RFC 2136/RFC 2931)
- Validate certificates via DANE-TLS (IETF RFC 6698)

OpenVPN-client:
- Generate and renew self-signed certificates automatically
- Display hash of first certificate for manual exchange
- Send hashes of re-newed certificates to OpenVPN-server
- Validate certificates via DANE-TLS (IETF RFC 6698)

Post Reply