Post
by ddog800 » Thu Apr 19, 2012 4:53 pm
By default, the server is configured to use a self-signed certificate since to use any SSL connection you need some sort of certificate (or what's the point, after all!). In the situation where you are getting this warning when connecting to the web server, the certificate it's referring to is the one managing the https connection in your browser and not he actual VPN connections. Basically, what the warning is referring to is that it can't locate a trusted Certificate Authority (CA) in order to verify that the certificate it's using to manage this https connection is a valid, trusted certificate. This does NOT mean that the connection won't work or even that there's a problem, simply that it can't verify the trustworthiness of the certificate. The https connection is still being encrypted as it should. Basically, as long as you trust the server you're connecting then you should have no problem accepting the warning and moving on. Ignoring the potential possibility of a man-in-the-middle attack, you should be pretty safe, especially since it'll just be you and a few friends connecting.
If, however, you do want to go through the process of removing the warning then you have two choices (you probably won't like the first one, the second is more realisitic):
1) You could buy a certificate from an issuing CA such as Godaddy, Digicert, Namecheap, Verisign, or whatever. Certs can get expensive, but not always. Depending on the type of cert, you may find one for a decent price. However, you're going to run into an issue pretty quickly based on your current setup and that is that you're using dyndns.org to handle the DNS service. The problem is that you aren't going to be able to get a certificate from a trusted 3rd party CA for a dyndns.org name because you don't actually own the base domain name of dyndns.org. Basically, purchasing a cert from a CA will really only be a viable option if you own your own domain. This brings me to Option 2:
2) Roll your own certificates. This is likely the route you would want to take, and will HAVE to take if you're using a dyndns.org hostname. Basically, you will need to use OpenSSL to create your own root certificate -- basically you become your own CA -- and then generate the server certificate for your hostname.dyndns.org based on that root CA certficate. Then, you will simply need to install the new root certificate and server-specific certificate onto your AS server and just the new root certificate on any machine that you will want to connect to your VPN server and voila, no more warning message. On Windows machines, this is typically just a matter of downloading the cert and double-clicking on it, then hitting 'Install' and going through the Wizard. You should already have experience with OpenSSL if you've used the basic version of OpenVPN at all. You could use similar steps you would use to set up a fresh OpenVPN implementation in order to generate the new root cert and then server cert files (though maybe not precisely the same steps). Then you would provide those on the page you screenshotted previously to replace the basic certificate AS ships with.
The main difference between using a trusted 3rd party CA and creating your own root CA is that any trusted 3rd party cert vendor will already have their root certificates built into any major OS or web browser. That's why you can just purchase your server cert, install it on the server side and the client never gets a prompt. When you roll your own root certificate, then you will require the client to install that root cert on their machine. Thankfully, it's very trivial to do so.
Anyway, I hope that helps. Looks like it's been a month since you posted, so you may not care anymore, but this should be useful info for anyone else who may be searching for an answer to this issue.
