Client auth using a CSR : CA asks for the client key

Scripts to manage certificates or generate config files
Post Reply
jhautbois
OpenVpn Newbie
Posts: 7
Joined: Wed Jul 10, 2013 11:35 am

Client auth using a CSR : CA asks for the client key

Post by jhautbois » Tue Jul 23, 2013 12:47 pm

Hi !

I am trying to have the following scenario : A server and a CA are created.
I want a new client to be able to connect to the server, and I have two options :
- I create the certificate/key and copy them through a (supposed) secured channel
- I make the client create its private key and a CSR, then ask the CA to sign it and return its crt.

I am trying to make the second option as I read on the HowTo :
Shouldn't it be possible to set up the PKI without a pre-existing secure channel?

The answer is ostensibly yes. In the example above, for the sake of brevity, we generated all private keys in the same place. With a bit more effort, we could have done this differently. For example, instead of generating the client certificate and keys on the server, we could have had the client generate its own private key locally, and then submit a Certificate Signing Request (CSR) to the key-signing machine. In turn, the key-signing machine could have processed the CSR and returned a signed certificate to the client. This could have been done without ever requiring that a secret .key file leave the hard drive of the machine on which it was generated.
I copy the ca.crt onto the client, then on the client :

Code: Select all

. vars
./build-key --csr client
scp keys/client.csr user@ca:/tmp
And on the CA I do :

Code: Select all

./build-key --sign /tmp/client
Using configuration from /home/jm/openvpn_install/easy-rsa/easy-rsa/2.0/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           : *************
[...]
emailAddress          : **************
Certificate is to be certified until Jul 18 12:39:41 2033 GMT (7300 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
chmod: cannot access `/tmp/client.key': No such file or directory
As you can see, it is looking for the client private key. Which is not wanted !
What did I miss ?

Thanks !

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Client auth using a CSR : CA asks for the client key

Post by maikcat » Tue Jul 23, 2013 1:22 pm

after that error (which is produced by chmod)

are you getting .crt file?

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

jhautbois
OpenVpn Newbie
Posts: 7
Joined: Wed Jul 10, 2013 11:35 am

Re: Client auth using a CSR : CA asks for the client key

Post by jhautbois » Tue Jul 23, 2013 1:28 pm

Yes, I have a crt file.

jhautbois
OpenVpn Newbie
Posts: 7
Joined: Wed Jul 10, 2013 11:35 am

Re: Client auth using a CSR : CA asks for the client key

Post by jhautbois » Tue Jul 23, 2013 1:47 pm

By the way, I can't get how a CSR cannot be used by an attacker...
If I understand correctly, what a client needs to connect to a server is a signed certificate.
And this signed certificate can be asked to the CA.
If an attacker gets the ca.crt, he can create its own private key, and generate a CSR which will then be signed by the CA, and he will get access to the server.
Or did I miss something ?

Thanks.

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Client auth using a CSR : CA asks for the client key

Post by maikcat » Wed Jul 24, 2013 6:15 am

If an attacker gets the ca.crt, he can create its own private key, and generate a CSR which will then be signed by the CA, and he will get access to the server.
the ca.crt is public...

CA is signing the certificates using its PRIVATE key (ca.key)

thats why ca.key is the most significant file and you must keep it secret....

when its signed by the CA means that its "approved" by it..
if an attacker requests you a cert you can always choose NOT to sign it.

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

jhautbois
OpenVpn Newbie
Posts: 7
Joined: Wed Jul 10, 2013 11:35 am

Re: Client auth using a CSR : CA asks for the client key

Post by jhautbois » Wed Jul 24, 2013 9:49 am

OK, this is what I didn't get. So, when using CSR, the CA needs to be contacted, and uses the ca.key. So, its private key cannot be offline.
BTW, I still have my error, any idea ? Even if I get the CRT, having the error is weird ?

User avatar
maikcat
Forum Team
Posts: 4202
Joined: Wed Jan 12, 2011 9:23 am
Location: Athens,Greece
Contact:

Re: Client auth using a CSR : CA asks for the client key

Post by maikcat » Wed Jul 24, 2013 10:28 am

with a quick look on pkitool script i noticed it calls
chmod to change key perms to 600 , this produces the error you get,
the script tries to change .key permissions to 600 for security , in your case
the file is missing and you get the error...

can you check that if the crt you get is signed by your CA?

Michael.
Amiga 500 , Zx +2 owner
Long live Dino Dini (Kick off 2 Creator)

Inflammable means flammable? (Dr Nick Riviera,Simsons Season13)

"objects in mirror are losing"

jhautbois
OpenVpn Newbie
Posts: 7
Joined: Wed Jul 10, 2013 11:35 am

Re: Client auth using a CSR : CA asks for the client key

Post by jhautbois » Wed Jul 24, 2013 10:32 am

Yes, it has been signed.

ahmad.karim
OpenVpn Newbie
Posts: 1
Joined: Thu Aug 09, 2018 8:22 am

Re: Client auth using a CSR : CA asks for the client key

Post by ahmad.karim » Thu Aug 09, 2018 8:28 am

maikcat wrote:
Wed Jul 24, 2013 6:15 am
If an attacker gets the ca.crt, he can create its own private key, and generate a CSR which will then be signed by the CA, and he will get access to the server.
the ca.crt is public...

CA is signing the certificates using its PRIVATE key (ca.key)

thats why ca.key is the most significant file and you must keep it secret....

when its signed by the CA means that its "approved" by it..
if an attacker requests you a cert you can always choose NOT to sign it.

Michael.
But how will the CA authenticate if the request is coming form a attacker or authenticated user. I dont think the CA will get a request saying that "Hi CA its attacker here, Here is my CSR give me a certificate!".
Any one who has the CA.crt can create his own key can generate a CSR. Can you please clarify :? . Thank you

Post Reply