Simplify certificate management of large organizations with DANE

[renne]

Hi,

currently admins have the hassle to set up a certificate authority and distribute certificates to client machines.

DNS-based Authentication of Named Entities (IETF RFC 6698) allows to use self-signed certificates and publish the hashes of the certificates via DNSSEC-secured TLSA-DNS resource records. OpenVPN-servers and -clients can generate their self-signed certificates themself. The operator of an OpenVPN-client would communicate the hash of the self-signed certificate to the DNS administrator once. When a certificate expires the OpenVPN-client can use the old certificate to send the hash of the new certificate to the OpenVPN-server which can update the TLSA-RRs of the OpenVPN-client and itself via dynamic DNS (IETF RFC 2136/RFC 2931).

OpenSSL already provides functions for DANE-validation.

ToDo:
OpenVPN-server:
- Generate and renew self-signed certificates automatically
- Receive hashes of re-newed certificates from OpenVPN-clients
- Update TLSA DNS-RRs via dynamic DNS (IETF RFC 2136/RFC 2931)
- Validate certificates via DANE-TLS (IETF RFC 6698)

OpenVPN-client:
- Generate and renew self-signed certificates automatically
- Display hash of first certificate for manual exchange
- Send hashes of re-newed certificates to OpenVPN-server
- Validate certificates via DANE-TLS (IETF RFC 6698)