As the title asks.
I am setting up a VPN remote access server using OpenVPN and am using client certificate + username and password authentication.
I am doing this with a pfSense router/firewall. It has a utility to export an 'Inline Configuration' which will import to an OpenVPN client and work perfectly fine. The 'inline' configuration file includes the necessary certificates, including the client certificate. It is also includes the private key of the client certificate in plain text.
I don't think I have to explain here how serious of a security problem that is.
Is there a way to set an openvpn configuration profile to use a Windows 10 machine's certificate store instead of having the certificates embedded in the profile? This would need to work for both client certificates and server certificates. I have other infrastructure on hand I can use to securely deploy the client certificates as pfx/p12 files.
Is there a way to create a profile that will use the Windows certificate store?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 4
- Joined: Tue Aug 10, 2021 3:14 pm
-
- OpenVPN User
- Posts: 39
- Joined: Tue Sep 01, 2020 1:27 pm
Re: Is there a way to create a profile that will use the Windows certificate store?
The cryptoapicert option can be used to refer to cert/key material in Windows Certificate store.
See OpenVPN manual.
In the server context there might be issues regarding cert/process ownership.
The client setup in most cases (user certificates) is straightforward.
See OpenVPN manual.
In the server context there might be issues regarding cert/process ownership.
The client setup in most cases (user certificates) is straightforward.