Using externally generated subordinate authority certificate

Scripts to manage certificates or generate config files
Post Reply
mdibella
OpenVPN User
Posts: 21
Joined: Thu Dec 13, 2018 11:15 pm

Using externally generated subordinate authority certificate

Post by mdibella » Thu Dec 13, 2018 11:22 pm

I'm using the OpenVPN virtual appliance (Ubuntu 16.04.4 LTS) and I've updated it to OpenVPN 2.6.1.

I have an externally generated subordinate authority certificate that I want to use for OpenVPN client certificates.

I've searched for a good process to use to replace both replace the signing certificate for new client certificates, and update the client certificate trust list, but I haven't found any.

I think I need to update rows in the certs.db file, but I was hoping there are already some scripts to do that and I won't have to modify tables using SQL commands.

Can anyone comment on my use case?

mdibella
OpenVPN User
Posts: 21
Joined: Thu Dec 13, 2018 11:15 pm

Re: Using externally generated subordinate authority certificate

Post by mdibella » Fri Dec 14, 2018 6:56 pm

So i see this line in the certool help:

--cabundle= CA bundle file to use when generating PKCS12

Would the correct command to replace the internal CA signing certificate be:

./certool --cabundle=<path-to-subca.pfx> --capass=PROMPT

where the subca.pfx is a PKCS#12 container with the SubCA certificate, private key, and chain?

mdibella
OpenVPN User
Posts: 21
Joined: Thu Dec 13, 2018 11:15 pm

Re: Using externally generated subordinate authority certificate

Post by mdibella » Mon Dec 17, 2018 11:13 pm

Tried it. Took a snapshot of the server and ran the command. Had to tweak the command slightly:

./certool --cabundle=subca.pfx --capass=PROMPT --type=ca

Appears to have had no effect.

I do see an article describing the steps to disable in the internal CA and use an external issuing server for generating the client certificates, but that isn't what I'm looking to do. I want to maintain OpenVPN's connection profile factory to include internally generated client certificates, but I want those certificates to chain to my enterprise root.

Has no one encountered a similar use case?

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5638
Joined: Fri Jun 03, 2016 1:17 pm

Re: Using externally generated subordinate authority certificate

Post by TinCanTech » Mon Dec 17, 2018 11:23 pm

Perhaps you should start at the beginning:
viewtopic.php?f=30&t=22603

mdibella
OpenVPN User
Posts: 21
Joined: Thu Dec 13, 2018 11:15 pm

Re: Using externally generated subordinate authority certificate

Post by mdibella » Tue Dec 18, 2018 1:23 am

Well this is really intriguing me.

From the sqlite3 SQL> command prompt, I can see there is a row in the certs.db database "certificates" table containing the base64-encoded certificate file and private key for the system-generated authority for signing client certificates. The system has assigned a common name of "OpenVPN CA" for this certificate, which I see in the "cn" column.

However, in the config.db database dump, I don't see any property that connects the common name "Open VPN" (or the certificate serial number, or any other column in the "certificate" table) to be used as the signing certificate for generating client certificates.

In the article description the external CA use case, I do see references to some configuration keys for setting the external CA certificate for trust purposes -- external_pki.server_ca_crt -- but since I am looking to use the internal CA to generate client certificates, I'll need a way to set both the certificate and private key.

mdibella
OpenVPN User
Posts: 21
Joined: Thu Dec 13, 2018 11:15 pm

Re: Using externally generated subordinate authority certificate

Post by mdibella » Wed Dec 19, 2018 2:16 am

Today's update.

After extensive and exhausting searching, I've learned:

1. The "Community Resources" page (https://openvpn.net/community-resources/) "search" function, does not function under Chrome.
2. Using Internet Explorer, I found a seemly relevant article, "Setting up your own Certificate Authority (CA)", here: https://openvpn.net/community-resources ... hority-ca/
3. None of the scripts described in the article are present in the pre-built virtual server.

I promise if I get this figured out I will thoroughly document the use case for others.

Wish me luck.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5638
Joined: Fri Jun 03, 2016 1:17 pm

Re: Using externally generated subordinate authority certificate

Post by TinCanTech » Wed Dec 19, 2018 3:21 am

Wrong Forum .. Wrong Product .. Don't read the help ..

mdibella
OpenVPN User
Posts: 21
Joined: Thu Dec 13, 2018 11:15 pm

Re: Using externally generated subordinate authority certificate

Post by mdibella » Wed Dec 19, 2018 3:33 am

I guess I'll just keep looking for the loot box.

Previous offer stands...if I figure it out I'll post the solution...hopefully it can help someone else.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5638
Joined: Fri Jun 03, 2016 1:17 pm

Re: Using externally generated subordinate authority certificate

Post by TinCanTech » Wed Dec 19, 2018 3:45 am

mdibella wrote:
Wed Dec 19, 2018 3:33 am
I guess I'll just keep looking for the loot box
Openvpn.Inc have chosen the path they wish to follow ..

You can help yourself by reading the help I have provided.

Post Reply