Page 1 of 1

Using externally generated subordinate authority certificate

Posted: Wed Dec 19, 2018 4:25 pm
by mdibella
I'm trying to prove a use case for OpenVPN for Per-app VPN on iOS. In order to do this, I need the MDM server to issue the VPN profile to the device with an embedded client certificate for autoconnect. As a first step in proving the case, I need to reconfigure the OpenVPN server to accept client certificates from an external authority. To simplify testing, I desire to re-key the built-in CA with an externally generated Subordinate Authority certificate, then after proving reliable operation using an access-server-provided profiles, implement the MDM as an issuing server using the same certificate and issue profiles from the MDM.

I've read the "External public key infrastructure (PKI)" article and it provides an incomplete solution as I want to maintain OpenVPN's connection profile factory to include internally generated client certificates, but I want those certificates to chain to my enterprise root.

I've also read the "Setting up your own Certificate Authority (CA)" article, but none of the scripts described in the article are present in the pre-built virtual server.

I'm using the OpenVPN virtual appliance (Ubuntu 16.04.4 LTS) and I've updated it to OpenVPN 2.6.1. I have an externally generated subordinate authority certificate that I want to use for OpenVPN client certificates. I've searched for a good process to use to replace both replace the signing certificate for new client certificates, and update the client certificate trust list, but I haven't found any. I think I need to update rows in the certs.db file, but I was hoping there are already some scripts to do that and I won't have to modify tables using SQL commands.

From the sqlite3 SQL> command prompt, I can see there is a row in the certs.db database "certificates" table containing the base64-encoded certificate file and private key for the system-generated authority for signing client certificates. The system has assigned a common name of "OpenVPN CA" for this certificate, which I see in the "cn" column. However, in the config.db database dump, I don't see any property that connects the common name "Open VPN" (or the certificate serial number, or any other column in the "certificate" table) to be used as the signing certificate for generating client certificates. In the article description the external CA use case, I do see references to some configuration keys for setting the external CA certificate for trust purposes -- external_pki.server_ca_crt -- but since I am looking to use the internal CA to generate client certificates, I'll need a way to set both the certificate and private key.

I also looked at the help for the certool script and tried:

./certool --cabundle=subca.pfx --capass=PROMPT --type=ca

But it appears to have had no effect.

Is there a supported method to regenerate the internal certificate authority using a provided certificate?

Re: Using externally generated subordinate authority certificate

Posted: Tue Feb 26, 2019 12:50 am
by mdibella
Progress update.

I've got per-app VPN working by uploading the AS appliance-generated client certificate into the the user's certificate escrow on the MDM server, then embedding the stored certificate into the iOS mobileconfig generated by the MDM server's profile factory. This is a workable solution, but requires each user to download their VPN profile from the AS user portal, parse the file manually, save the certificate and key into text files, use OpenSSL or another utility to convert from PEM to PKCS#12 format, and finally upload the .PFX into the MDM server using the MDM user portal. User's that do not properly complete this workflow before enrolling a device will receive a non-working device configuration from the MDM. This is really too much of kludge for production deployment.

Since I cannot re-key the internal CA with an externally generated subordinate authority certificate, I plan to go the other way. I've exported the OpenVPN CA certificate from the appliance and created a new local root CA hosted on the MDM server configured to issue client authentication certificates with the auto-login subject format (username_AUTOLOGIN). The certificate from the local CA can contains the Extended Key Usage attribute with a value of Client Certificate, but the Netscape Cert Type attribute is not supported.

I still want to be able to generate login profiles for desktops and laptops using the appliance user portal, so I don't want to switch to the external PKI configuration. I see that in the external PKI configuration I can set the external_pki.remote_cert_usage to EKU to accept certificates with the External Key Usage attribute. Is there another option to allow the AS appliance to accept either EKU or NS in the internal PKI configuration?