Using externally generated subordinate authority certificate

[mdibella]

I'm using the OpenVPN virtual appliance (Ubuntu 16.04.4 LTS) and I've updated it to OpenVPN 2.6.1.

I have an externally generated subordinate authority certificate that I want to use for OpenVPN client certificates.

I've searched for a good process to use to replace both replace the signing certificate for new client certificates, and update the client certificate trust list, but I haven't found any.

I think I need to update rows in the certs.db file, but I was hoping there are already some scripts to do that and I won't have to modify tables using SQL commands.

Can anyone comment on my use case?

[mdibella]

So i see this line in the certool help:

--cabundle= CA bundle file to use when generating PKCS12

Would the correct command to replace the internal CA signing certificate be:

./certool --cabundle=<path-to-subca.pfx> --capass=PROMPT

where the subca.pfx is a PKCS#12 container with the SubCA certificate, private key, and chain?

[mdibella]

Tried it. Took a snapshot of the server and ran the command. Had to tweak the command slightly:

./certool --cabundle=subca.pfx --capass=PROMPT --type=ca

Appears to have had no effect.

I do see an article describing the steps to disable in the internal CA and use an external issuing server for generating the client certificates, but that isn't what I'm looking to do. I want to maintain OpenVPN's connection profile factory to include internally generated client certificates, but I want those certificates to chain to my enterprise root.

Has no one encountered a similar use case?

[TinCanTech]

Perhaps you should start at the beginning:
viewtopic.php?f=30&t=22603

[mdibella]

Well this is really intriguing me.

From the sqlite3 SQL> command prompt, I can see there is a row in the certs.db database "certificates" table containing the base64-encoded certificate file and private key for the system-generated authority for signing client certificates. The system has assigned a common name of "OpenVPN CA" for this certificate, which I see in the "cn" column.

However, in the config.db database dump, I don't see any property that connects the common name "Open VPN" (or the certificate serial number, or any other column in the "certificate" table) to be used as the signing certificate for generating client certificates.

In the article description the external CA use case, I do see references to some configuration keys for setting the external CA certificate for trust purposes -- external_pki.server_ca_crt -- but since I am looking to use the internal CA to generate client certificates, I'll need a way to set both the certificate and private key.

[mdibella]

Today's update.

After extensive and exhausting searching, I've learned:

1. The "Community Resources" page (https://openvpn.net/community-resources/) "search" function, does not function under Chrome.
2. Using Internet Explorer, I found a seemly relevant article, "Setting up your own Certificate Authority (CA)", here: https://openvpn.net/community-resources ... hority-ca/
3. None of the scripts described in the article are present in the pre-built virtual server.

I promise if I get this figured out I will thoroughly document the use case for others.

Wish me luck.

[TinCanTech]

Wrong Forum .. Wrong Product .. Don't read the help ..

[mdibella]

I guess I'll just keep looking for the loot box.

Previous offer stands...if I figure it out I'll post the solution...hopefully it can help someone else.

[TinCanTech]

I guess I'll just keep looking for the loot box

Openvpn.Inc have chosen the path they wish to follow ..

You can help yourself by reading the help I have provided.