Using externally generated subordinate authority certificate
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Using externally generated subordinate authority certificate
I'm using the OpenVPN virtual appliance (Ubuntu 16.04.4 LTS) and I've updated it to OpenVPN 2.6.1.
I have an externally generated subordinate authority certificate that I want to use for OpenVPN client certificates.
I've searched for a good process to use to replace both replace the signing certificate for new client certificates, and update the client certificate trust list, but I haven't found any.
I think I need to update rows in the certs.db file, but I was hoping there are already some scripts to do that and I won't have to modify tables using SQL commands.
Can anyone comment on my use case?
I have an externally generated subordinate authority certificate that I want to use for OpenVPN client certificates.
I've searched for a good process to use to replace both replace the signing certificate for new client certificates, and update the client certificate trust list, but I haven't found any.
I think I need to update rows in the certs.db file, but I was hoping there are already some scripts to do that and I won't have to modify tables using SQL commands.
Can anyone comment on my use case?
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Re: Using externally generated subordinate authority certificate
So i see this line in the certool help:
--cabundle= CA bundle file to use when generating PKCS12
Would the correct command to replace the internal CA signing certificate be:
./certool --cabundle=<path-to-subca.pfx> --capass=PROMPT
where the subca.pfx is a PKCS#12 container with the SubCA certificate, private key, and chain?
--cabundle= CA bundle file to use when generating PKCS12
Would the correct command to replace the internal CA signing certificate be:
./certool --cabundle=<path-to-subca.pfx> --capass=PROMPT
where the subca.pfx is a PKCS#12 container with the SubCA certificate, private key, and chain?
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Re: Using externally generated subordinate authority certificate
Tried it. Took a snapshot of the server and ran the command. Had to tweak the command slightly:
./certool --cabundle=subca.pfx --capass=PROMPT --type=ca
Appears to have had no effect.
I do see an article describing the steps to disable in the internal CA and use an external issuing server for generating the client certificates, but that isn't what I'm looking to do. I want to maintain OpenVPN's connection profile factory to include internally generated client certificates, but I want those certificates to chain to my enterprise root.
Has no one encountered a similar use case?
./certool --cabundle=subca.pfx --capass=PROMPT --type=ca
Appears to have had no effect.
I do see an article describing the steps to disable in the internal CA and use an external issuing server for generating the client certificates, but that isn't what I'm looking to do. I want to maintain OpenVPN's connection profile factory to include internally generated client certificates, but I want those certificates to chain to my enterprise root.
Has no one encountered a similar use case?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Using externally generated subordinate authority certificate
Perhaps you should start at the beginning:
viewtopic.php?f=30&t=22603
viewtopic.php?f=30&t=22603
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Re: Using externally generated subordinate authority certificate
Well this is really intriguing me.
From the sqlite3 SQL> command prompt, I can see there is a row in the certs.db database "certificates" table containing the base64-encoded certificate file and private key for the system-generated authority for signing client certificates. The system has assigned a common name of "OpenVPN CA" for this certificate, which I see in the "cn" column.
However, in the config.db database dump, I don't see any property that connects the common name "Open VPN" (or the certificate serial number, or any other column in the "certificate" table) to be used as the signing certificate for generating client certificates.
In the article description the external CA use case, I do see references to some configuration keys for setting the external CA certificate for trust purposes -- external_pki.server_ca_crt -- but since I am looking to use the internal CA to generate client certificates, I'll need a way to set both the certificate and private key.
From the sqlite3 SQL> command prompt, I can see there is a row in the certs.db database "certificates" table containing the base64-encoded certificate file and private key for the system-generated authority for signing client certificates. The system has assigned a common name of "OpenVPN CA" for this certificate, which I see in the "cn" column.
However, in the config.db database dump, I don't see any property that connects the common name "Open VPN" (or the certificate serial number, or any other column in the "certificate" table) to be used as the signing certificate for generating client certificates.
In the article description the external CA use case, I do see references to some configuration keys for setting the external CA certificate for trust purposes -- external_pki.server_ca_crt -- but since I am looking to use the internal CA to generate client certificates, I'll need a way to set both the certificate and private key.
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Re: Using externally generated subordinate authority certificate
Today's update.
After extensive and exhausting searching, I've learned:
1. The "Community Resources" page (https://openvpn.net/community-resources/) "search" function, does not function under Chrome.
2. Using Internet Explorer, I found a seemly relevant article, "Setting up your own Certificate Authority (CA)", here: https://openvpn.net/community-resources ... hority-ca/
3. None of the scripts described in the article are present in the pre-built virtual server.
I promise if I get this figured out I will thoroughly document the use case for others.
Wish me luck.
After extensive and exhausting searching, I've learned:
1. The "Community Resources" page (https://openvpn.net/community-resources/) "search" function, does not function under Chrome.
2. Using Internet Explorer, I found a seemly relevant article, "Setting up your own Certificate Authority (CA)", here: https://openvpn.net/community-resources ... hority-ca/
3. None of the scripts described in the article are present in the pre-built virtual server.
I promise if I get this figured out I will thoroughly document the use case for others.
Wish me luck.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Using externally generated subordinate authority certificate
Wrong Forum .. Wrong Product .. Don't read the help ..
-
- OpenVPN Power User
- Posts: 51
- Joined: Thu Dec 13, 2018 11:15 pm
Re: Using externally generated subordinate authority certificate
I guess I'll just keep looking for the loot box.
Previous offer stands...if I figure it out I'll post the solution...hopefully it can help someone else.
Previous offer stands...if I figure it out I'll post the solution...hopefully it can help someone else.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm