Using my own certificate and key generated from windows CA

[helloworld]

Hi

I was wondering if I can use my own enterprise CA from windows server 2008 to generate certificates and keys instead of using command prompt RSA Key Management.

If possible what are the steps to do it?

[janjust]

in theory, yes this is possible but I have no clue how to do it

OpenVPN can use pkcs#12 (.p12, .pfx) files for certificate management on both the client and server side; as long as the Windows enterprise CA can export those you should be OK.

You will also need to export the public CA certificate in PEM format.

[helloworld]

Can someone provide me with the instructions on using a windows CA for certificates and keys?

I have tried using the certificate and key generated from a windows CA but failed to get OpenVPN to connect?

[helloworld]

This is the log file for my error.
Pls advise.

Fri Apr 13 10:31:03 2012 OpenVPN 2.2.2 Win32-MSVC++ [SSL] [LZO2] [PKCS11] built on Dec 15 2011
Fri Apr 13 10:31:03 2012 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Fri Apr 13 10:31:03 2012 Cannot load certificate file openvpnclient2.p7b: error:0906D06C:PEM routines:PEM_read_bio:no start line: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib
Fri Apr 13 10:31:03 2012 Exiting

[janjust]

you will need to export the PKCS7 (p7b) file to something that openvpn understands, OR you can use the 'cryptoapi' option to query the Windows CryptoAPI store directly. You will always need to export the CA certificate as a pem file, however.

To print all certficiates in a pkcs7 file, use

Code: Select all

openssl pkcs7 -in file.pem -print_certs -out certs.pem

[helloworld]

When I run the openssl.exe, I get the following warning message:
WARNING: can't open config file: c:/openssl/ssl/openssl.cnf

I then proceed to load the openssl.cnf from openvpn2.2.2 package onto the required path as specified.

I rerun the exe file and it crashes.

How do I eliminate this warning message to ultimately convert certificates format using openssl?
Does the problem lie with the version of the openvpn2.2.2?

Thank You

[janjust]

the openssl.cnf warning is a known annoyance...
What happens if you first set

Code: Select all

set OPENSSL_CONF=<full-path-to-openssl-conf-file>

e.g.

Code: Select all

set OPENSSL_CONF="C:\Program Files (x86)\OpenVPN\easy-rsa\openssl.cnf"

and then run openssl.exe?

[helloworld]

Ok now the openssl is pointing to the correct directory for the config file. However upon starting openssl, an error is encounted

C:\Users\*****>openssl
2836:error:0E065068:configuration file routines:STR_COPY:variable has no value:.
\crypto\conf\conf_def.c:618:line 37

any ideas?

[janjust]

most likely your openssl.cnf file points to env variables which are not set. Check the file openssl.cnf line 37 to see what it expects.

As you don't need the env vars set/needed in the easy-rsa file you can also use an empty openssl.cnf file.

[helloworld]

If I use a empty config file, then which directory should my input certificate be located for conversion?

[janjust]

the input and output files are specified on the command line; if you want , generate a bogus pkcs7 file from your windows CA store and mail it to me - I will try the conversion .

[helloworld]

I am sorry but i still do not understand how to use openssl to convert certificates.

Pls advise.