Intermediate CA

This forum is for admins who are looking to build or expand their OpenVPN setup.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
ePluribusUnum
OpenVpn Newbie
Posts: 10
Joined: Fri Feb 25, 2022 10:23 pm

Intermediate CA

Post by ePluribusUnum » Wed Nov 23, 2022 6:52 pm

I need to give managers time-limited access to add OpenVPN users.

I can have them submit CSRs to me for each user and I return a signed cert for that user. But if I (read: my server) is not available, then they're out of luck. I also have a distaste for such highly centralized solutions.

I would like to give my managers a short-duration Intermediate CA certificate, for, say, 24 hours, that they can use to onboard their new users as needed. But for this to be possible, it seems like two things need to happen:

1. OpenVPN must not require Certificate Validity Nesting - i.e. a certificate expiring in one day can sign a certificate good for one year (see https://security.stackexchange.com/ques ... -509-chain)

2. There must be some timestamping to make sure that expired intermediaries don't sign after expiration by backdating the date of the signature. à la RFC 3161. And OpenVPN must verify timestamp on connection

So, is this a pipe dream or is there something here that could be made to work?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1333
Joined: Tue Feb 16, 2021 10:41 am

Re: Intermediate CA

Post by openvpn_inc » Wed Nov 23, 2022 7:16 pm

Hello ePluribusUnum,

Unfortunately, OpenVPN does work with the method of requiring the CA and the user certificates to both be valid. You can sign a user certificate that is valid for a year while the CA is about to expire the next day, but then the OpenVPN client will complain about the CA certificate being expired the next day and refuse to connect. Also if someone has a hold of a CA private key they basically can do whatever they want in regards to signing new certificates, even backdating and such. They could also sign a new server certificate and run a new server and try to do MiTM attack and such.

I suggest that you look into solutions to manage the CA for you. Not saying this is the only option but you could use OpenVPN Access Server. It has a web based interface and can authenticate against an authentication backend like SAML, RADIUS, PAM, LDAP. Let your manager add a user to the authentication backend, give the end-user the credentials, then they can grab the connection profile from the Access Server's web interface. Access Server generates and signs the necessary certificates automatically. And you can always go in and revoke stuff if needed. Just a suggestion.

Good luck,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply