OpenVPN with Bacula TLS certificate

This forum is for general conversation and user-user networking.
Post Reply
wanderlei.huttel
OpenVpn Newbie
Posts: 2
Joined: Tue Jul 10, 2018 12:11 am

OpenVPN with Bacula TLS certificate

Post by wanderlei.huttel » Tue Jul 10, 2018 12:38 am

Hello Guys

I'm using this script to configure a VPN and it worked fine.
https://github.com/Nyr/openvpn-install/ ... install.sh

I would like to use Bacula TLS Certificate to use with OpenVPN. Is it possible?

The Bacula usually has 3 daemons (director, storage and client) and is necessary one TLS certified by every daemon.

The TLS certified are generated with the following commands:

Code: Select all

** Generate root key
openssl genrsa -out keys/root_key.pem 2048
openssl rsa -check -noout -in keys/root_key.pem
openssl req -new -x509 -batch -config openssl.cnf -key keys/root_key.pem -days 36500 -out certs/root_cert.pem
openssl verify certs/root_cert.pem
openssl x509 -text -noout -in certs/root_cert.pem


**  Generate Serials
touch index.txt
touch index.txt.attr
echo "01" > serial

**  Generate bacula-dir key (director) (could be the server certified)
openssl genrsa -out keys/bacula-dir_key.pem 2048
openssl rsa -check -noout -in keys/bacula-dir_key.pem
openssl req -new -config openssl.cnf -batch -subj "/C=BR/ST=State/L=City/O=Bacula/CN=localhost/emailAddress=email" -key keys/bacula-dir_key.pem -out certs/bacula-dir_cert.csr
openssl ca -keyfile keys/root_key.pem -config openssl.cnf -batch -policy policy_anything -extensions usr_cert -enddate 20280708235900Z -out certs/bacula-dir_cert.pem -infiles certs/bacula-dir_cert.csr
openssl x509 -text -noout -in certs/bacula-dir_cert.pem


**  Generate bacula-sd key (storage)
openssl genrsa -out keys/bacula-sd_key.pem 2048
openssl req -new -config openssl.cnf -batch -subj "/C=BR/ST=State/L=City/O=Bacula/CN=public_ip/emailAddress=email" -key keys/bacula-sd_key.pem -out certs/bacula-sd_cert.csr
openssl ca -keyfile keys/root_key.pem -config openssl.cnf -batch -policy policy_anything -extensions usr_cert -enddate 20280708235900Z -out certs/bacula-sd_cert.pem -infiles certs/bacula-sd_cert.csr
openssl x509 -text -noout -in certs/bacula-sd_cert.pem


**  Generate bacula-fd key (client) (could be the client1 certified)
openssl genrsa -out keys/bacula-fd_key.pem 2048
openssl req -new -config openssl.cnf -batch -subj "/C=BR/ST=State/L=City/O=Bacula/CN=localhost/emailAddress=email" -key keys/bacula-fd_key.pem -out certs/bacula-fd_cert.csr
openssl ca -keyfile keys/root_key.pem -config openssl.cnf -batch -policy policy_anything -extensions usr_cert -enddate 20280708235900Z -out certs/bacula-fd_cert.pem -infiles certs/bacula-fd_cert.csr
openssl x509 -text -noout -in certs/bacula-fd_cert.pem

Below is the template of openssl.cnf and in the commands above every variable substitution were already made.

Code: Select all

**  openssl.cnf.template
HOME			= XXX_SSL_DIR_XXX
RANDFILE		= $ENV::HOME/.rnd

[ ca ]
default_ca	= CA_default		               # The default ca section

[ CA_default ]

dir		      = XXX_SSL_DIR_XXX	            # Where everything is kept
certs		      = $dir/certs		            # Where the issued certs are kept
crl_dir		   = $dir/crl		               # Where the issued crl are kept
database	      = $dir/index.txt	            # database index file.
unique_subject	= no			                  # Set to 'no' to allow creation of
					                              # several ctificates with same subject.
new_certs_dir	= $dir/certs		            # default place for new certs.
                                             
certificate	= $dir/certs/XXX_ROOT_CA_XXX	   # The CA certificate
serial		= $dir/serial 		               # The current serial number
crlnumber	= $dir/crlnumber	               # the current crl number
					                              # must be commented out to leave a V1 CRL
crl		   = $dir/crl.pem 		            # The current CRL
private_key	= $dir/private/XXX_ROOT_KEY_XXX	# The private key
RANDFILE	   = $dir/private/.rand	            # private random number file

x509_extensions	= usr_cert		            # The extentions to add to the cert

name_opt 	= ca_default		               # Subject Name options
cert_opt 	= ca_default		               # Certificate field options

default_days	  = 36500			            # how long to certify for (default: 100 years)
default_crl_days = 30			               # how long before next CRL
default_md	     = sha256    		            # use public key default MD
preserve	        = no			               # keep passed DN ordering

policy		= policy_match

[ policy_match ]
countryName		         = match
stateOrProvinceName	   = match
organizationName	      = match
organizationalUnitName	= optional
commonName		         = supplied
emailAddress		      = optional


[ policy_anything ]
countryName		         = optional
stateOrProvinceName	   = optional
localityName		      = optional
organizationName	      = optional
organizationalUnitName	= optional
commonName		         = supplied
emailAddress		      = optional


[ req ]
default_bits		      = 4096
default_keyfile 	      = XXX_ROOT_CA_XXX
distinguished_name	   = req_distinguished_name
attributes		         = req_attributes
x509_extensions	      = v3_ca	            # The extentions to add to the self signed cert
string_mask             = utf8only

[ req_distinguished_name ]
countryName			            = Country Name (2 letter code)
countryName_default		      = XXX_COUNTRY_NAME_XXX
countryName_min			      = 2
countryName_max			      = 2

stateOrProvinceName		      = State or Province Name (full name)
stateOrProvinceName_default	= XXX_STATE_OR_PROVINCE_NAME_XXX

localityName			         = Locality Name (eg, city)
localityName_default          = XXX_LOCALITY_NAME_XXX

0.organizationName		      = Organization Name (eg, company)
0.organizationName_default	   = XXX_ORGANIZATION_NAME_XXX

commonName			            = Common Name (e.g. server FQDN or YOUR name)
commonName_max			         = 64
commonName_default		      = XXX_COMMON_NAME_XXX

emailAddress			         = Email Address
emailAddress_max		         = 64
emailAddress_default		      = XXX_EMAIL_ADDRESS_XXX

[ req_attributes ]
challengePassword		         = A challenge password
challengePassword_min		   = 4
challengePassword_max		   = 20

unstructuredName		         = An optional company name

[ v3_ca ]

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:false

[ usr_cert ]

basicConstraints=CA:FALSE
nsComment			= "OpenSSL Generated Certificate"

subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer


I appreciate any comment.

Best Regards
Wanderlei Hüttel

Post Reply