New here, certificates question

Scripts to manage certificates or generate config files
Post Reply
User avatar
GRIFFCOMM
OpenVpn Newbie
Posts: 4
Joined: Sun Nov 25, 2018 6:35 am

New here, certificates question

Post by GRIFFCOMM » Sun Nov 25, 2018 6:45 am

Hi, i am not new to VPN, i am however new to openVPN, i have played with the Windows PC server and a QNAP NAS running QVPN server both running as openVPN servers, however my question is this.

I have an appliance (phone) that supports openVPN, but is asking for 3 certificates, how do i get these certificates from the Windows Server or QNAP appliance running openVPN? (the openVPN system only seems to download 1 certificate)

Cetificates needed are:
- OpenVPN® CA
- OpenVPN® certificate
- OpenVPN® Client Key


Image of the client device asking for them:
Image

Sop_1000
OpenVpn Newbie
Posts: 8
Joined: Wed Dec 19, 2018 3:29 pm

Re: New here, certificates question

Post by Sop_1000 » Wed Dec 19, 2018 3:47 pm

You need to painfully generate them following this painful guide, keep in mind your certs won't be valid for a few hours after you generate them.

https://community.openvpn.net/openvpn/w ... dows_Guide

User avatar
GRIFFCOMM
OpenVpn Newbie
Posts: 4
Joined: Sun Nov 25, 2018 6:35 am

Re: New here, certificates question

Post by GRIFFCOMM » Wed Dec 19, 2018 3:55 pm

Hi Thanks..... i have the manufacture looking at this as well, they seem to be saying the username / password should work, i am not sure it does, so they are working on it as well.

Sop_1000
OpenVpn Newbie
Posts: 8
Joined: Wed Dec 19, 2018 3:29 pm

Re: New here, certificates question

Post by Sop_1000 » Wed Dec 19, 2018 4:03 pm

CA should be the same as the server, CRT and KEY are client specific and should be generated from openvpn server installation, also, that client doesn't ask for a ta.key, which I think is needed for TLS, so you should probably disable that on the server, somehow. Also make sure the cipher method matches the server, AES-256 is the standard. Not sure about username, windows client never asks user input on that, just the password, and the password is "stamped" on the client certificate.

User avatar
GRIFFCOMM
OpenVpn Newbie
Posts: 4
Joined: Sun Nov 25, 2018 6:35 am

Re: New here, certificates question

Post by GRIFFCOMM » Wed Dec 19, 2018 4:16 pm

Thanks, i have a new firewall (Watchguard) appearing in about a week, i will be investigating this a lot more than, they support openVPN also, ive not looked at it since first trying all this. The Windows PCs work fine, its this device (phone) thats creating an issue.

Sop_1000
OpenVpn Newbie
Posts: 8
Joined: Wed Dec 19, 2018 3:29 pm

Re: New here, certificates question

Post by Sop_1000 » Wed Dec 19, 2018 4:22 pm

Oh no, I hate Watchguard, mainly because of the licensing thing, you can't basicly have a proper firewall without 10 licences one for each thing, you're gonna have to get a VPN license for that to work. I might not be 100% correct on this though.

User avatar
GRIFFCOMM
OpenVpn Newbie
Posts: 4
Joined: Sun Nov 25, 2018 6:35 am

Re: New here, certificates question

Post by GRIFFCOMM » Wed Dec 19, 2018 4:39 pm

We are a watchguard reseller, you dont need licenses, the firewall is free, to be warrantied you need "license", however the VPN is free on them (up to a certain amount).

They do however have "services" you pay for which we never sell, when the "license" for the unit expires it continues to work as a firewall WITH the built in VPN it came with, you cant however upgrade the firmware once the support stops. It will work indefinitely as a firewall with the base VPN (SSL / site to site etc...), sure you want LOADS of SSL and site to site then you need to pay for it...

Post Reply