The tutorial will be in English, sorry
.We are looking for the easiest solution to check CAcert.org certificates using a smartcard.
From a CAcert user point of view, the best solution
would be to use two CAcert.org clients certificates,
and transfer them to smartcards.
But we did try and I don't know whether this is possible.
For a first try, here is our configuration:
* server is carrying an SSL server cert, running a verify-cn against verified emails.
* client is trying to authenticate using an OpenSC cryto key with CAcert client cert.
But it does not work, can you help?
===========> verify-cn
1 #!/bin/bash
2
3 # clients file must contain one client subject per line (grep regexp actually)
4
5 logfile=/etc/openvpn/verify-cn.log
6 clients=/etc/openvpn/verify-cn.allow
7
8 CA="/O=Root_CA/OU=http://www.cacert.org/CN=CA_Cert_Signin ... cacert.org"
9
10 case "$1" in
11 1)
12 [ "$2" == "$CA" ] && exit 0
13 ;;
14 0)
15 echo $2 | grep -q -f $clients && exit 0;
16 ;;
17 esac
18
19 echo "$(date +%Y%m%d-%H%M%S) FAILED: $*" >> $logfile
20 exit 1
===========> Client
dev tun0
ifconfig 10.9.8.2 10.9.8.1
ca /etc/ssl/certs/cacert.org.pem
pkcs11-providers /usr/lib/opensc-pkcs11.so
pkcs11-id 'EnterSafe/PKCS
\x2315/302349251708071XXXXXXXXXXX1259AE7ADE586200136759CBA22BDC'
askpass
tls-client
#persist-key
#persist-tun
log /tmp/openvpn-tun0.log
verb 3
============> Server
dev tun1
ifconfig 10.9.8.1 10.9.8.2
ca /etc/ssl/certs/cacert.org.pem
cert /etc/openvpn/cacert/cert.pem
key /etc/openvpn/cacert/newkey.pem
tls-verify /usr/share/openvpn/verify-cn
dh /etc/openvpn/dh2048.pem
log /tmp/openvpn-tun1.lot
verb 3
tls-server
auth-nocache
Any idea?
Kind regards,
Kellogs