OpenVPN should support X509 Certificate Policies in order to compartmentalize a Root CA.
Currently, the only way for a single organisation to control which OpenVPN installation a user can connect to is to use separate CAs (assuming that user has an account on both systems).
If an organisation has a registered IANA OID such as 1.3.6.1.4.1.32473 (Example OID), they could distribute sub-trees to various OpenVPN installations within their organisation. Each would run their own subordinate CA (using a common Root CA) but only issue certificates which contain a Certificate Policy OID allocated to them. The server could then (with an appropriate option) check that the client certificate supplied has the allocated Policy OID embedded.
For example 1.3.6.1.4.1.32473.1 (note the .1 suffix) could be allocated to a dept A's OpenVPN server and subordinate CA, while 1.3.6.1.4.1.32473.2 (note the .2 suffix) could be allocated to dept B's OpenVPN server and CA. A user with a certificate issued by dept A's subordinate CA would therefore not be able to log in to dept B's OpenVPN installation and vice versa.
I believe OpenSSL has the ability to check policy trees therefore this shouldn't be too difficult to implement (says the non-programmer!).
Support for Certificate Policies
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 1
- Joined: Fri Aug 04, 2017 9:11 pm
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 15, 2019 8:33 pm
Re: Support for Certificate Policies
I can see that OpenVPN supports the 'auth-user-pass-verify' which would allow to use an script plugin to process an user authentication event. Is the client certificate available to this script?.
If this is so, this script could be configured to check for the presence of the required certificate policy ID.
If this is so, this script could be configured to check for the presence of the required certificate policy ID.
-
- OpenVpn Newbie
- Posts: 2
- Joined: Mon Jul 15, 2019 8:33 pm
Re: Support for Certificate Policies
Certificate policies can be validated with an script like the following:
And the following OpenVPN configuration:
tls-verify /path/to/tls-verify-cert-policy.sh
Tested with With OpenVPN 2.4.4-2ubuntu1.3.
Code: Select all
#!/bin/bash
certificate_depth=$1
policy=1.3.6.1.4.1.32473.1
if [ $certificate_depth -eq 0 ]; then
openssl verify -CAfile /etc/openvpn/ca.crt -explicit_policy -policy $policy $peer_cert || exit 1
fi
server.conf
tls-verify /path/to/tls-verify-cert-policy.sh
Tested with With OpenVPN 2.4.4-2ubuntu1.3.
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Support for Certificate Policies
Easy-TLS already has a similar function called Custom Group.