Using externally generated subordinate authority certificate

Ask questions about your Access Server configuration here.
Post Reply
OpenVpn Newbie
Posts: 9
Joined: Thu Dec 13, 2018 11:15 pm

Using externally generated subordinate authority certificate

Post by mdibella » Wed Dec 19, 2018 4:25 pm

I'm trying to prove a use case for OpenVPN for Per-app VPN on iOS. In order to do this, I need the MDM server to issue the VPN profile to the device with an embedded client certificate for autoconnect. As a first step in proving the case, I need to reconfigure the OpenVPN server to accept client certificates from an external authority. To simplify testing, I desire to re-key the built-in CA with an externally generated Subordinate Authority certificate, then after proving reliable operation using an access-server-provided profiles, implement the MDM as an issuing server using the same certificate and issue profiles from the MDM.

I've read the "External public key infrastructure (PKI)" article and it provides an incomplete solution as I want to maintain OpenVPN's connection profile factory to include internally generated client certificates, but I want those certificates to chain to my enterprise root.

I've also read the "Setting up your own Certificate Authority (CA)" article, but none of the scripts described in the article are present in the pre-built virtual server.

I'm using the OpenVPN virtual appliance (Ubuntu 16.04.4 LTS) and I've updated it to OpenVPN 2.6.1. I have an externally generated subordinate authority certificate that I want to use for OpenVPN client certificates. I've searched for a good process to use to replace both replace the signing certificate for new client certificates, and update the client certificate trust list, but I haven't found any. I think I need to update rows in the certs.db file, but I was hoping there are already some scripts to do that and I won't have to modify tables using SQL commands.

From the sqlite3 SQL> command prompt, I can see there is a row in the certs.db database "certificates" table containing the base64-encoded certificate file and private key for the system-generated authority for signing client certificates. The system has assigned a common name of "OpenVPN CA" for this certificate, which I see in the "cn" column. However, in the config.db database dump, I don't see any property that connects the common name "Open VPN" (or the certificate serial number, or any other column in the "certificate" table) to be used as the signing certificate for generating client certificates. In the article description the external CA use case, I do see references to some configuration keys for setting the external CA certificate for trust purposes -- external_pki.server_ca_crt -- but since I am looking to use the internal CA to generate client certificates, I'll need a way to set both the certificate and private key.

I also looked at the help for the certool script and tried:

./certool --cabundle=subca.pfx --capass=PROMPT --type=ca

But it appears to have had no effect.

Is there a supported method to regenerate the internal certificate authority using a provided certificate?

Post Reply