Support for Certificate Policies

Samples of working configurations.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
gareththered
OpenVpn Newbie
Posts: 1
Joined: Fri Aug 04, 2017 9:11 pm

Support for Certificate Policies

Post by gareththered » Fri Aug 04, 2017 9:29 pm

OpenVPN should support X509 Certificate Policies in order to compartmentalize a Root CA.

Currently, the only way for a single organisation to control which OpenVPN installation a user can connect to is to use separate CAs (assuming that user has an account on both systems).

If an organisation has a registered IANA OID such as 1.3.6.1.4.1.32473 (Example OID), they could distribute sub-trees to various OpenVPN installations within their organisation. Each would run their own subordinate CA (using a common Root CA) but only issue certificates which contain a Certificate Policy OID allocated to them. The server could then (with an appropriate option) check that the client certificate supplied has the allocated Policy OID embedded.

For example 1.3.6.1.4.1.32473.1 (note the .1 suffix) could be allocated to a dept A's OpenVPN server and subordinate CA, while 1.3.6.1.4.1.32473.2 (note the .2 suffix) could be allocated to dept B's OpenVPN server and CA. A user with a certificate issued by dept A's subordinate CA would therefore not be able to log in to dept B's OpenVPN installation and vice versa.

I believe OpenSSL has the ability to check policy trees therefore this shouldn't be too difficult to implement (says the non-programmer!).

hablutzel1
OpenVpn Newbie
Posts: 2
Joined: Mon Jul 15, 2019 8:33 pm

Re: Support for Certificate Policies

Post by hablutzel1 » Wed Jul 17, 2019 5:26 pm

I can see that OpenVPN supports the 'auth-user-pass-verify' which would allow to use an script plugin to process an user authentication event. Is the client certificate available to this script?.

If this is so, this script could be configured to check for the presence of the required certificate policy ID.

hablutzel1
OpenVpn Newbie
Posts: 2
Joined: Mon Jul 15, 2019 8:33 pm

Re: Support for Certificate Policies

Post by hablutzel1 » Thu Nov 12, 2020 3:43 pm

Certificate policies can be validated with an script like the following:

Code: Select all

#!/bin/bash
certificate_depth=$1
policy=1.3.6.1.4.1.32473.1
if [ $certificate_depth -eq 0 ]; then
    openssl verify -CAfile /etc/openvpn/ca.crt -explicit_policy -policy $policy $peer_cert || exit 1
fi
And the following OpenVPN configuration:

server.conf

tls-verify /path/to/tls-verify-cert-policy.sh


Tested with With OpenVPN 2.4.4-2ubuntu1.3.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Support for Certificate Policies

Post by TinCanTech » Thu Nov 12, 2020 9:07 pm

Easy-TLS already has a similar function called Custom Group.

Post Reply