Use system ca certificates

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
eingemaischt
OpenVpn Newbie
Posts: 5
Joined: Thu Feb 24, 2022 9:00 am

Use system ca certificates

Post by eingemaischt » Thu Feb 24, 2022 9:06 am

Hi,

is there any option to use the "system certificates" instead of locally provided ones?

I can create and use x509 SSL vertificates which CAs are included in the system stores...


Furthermore can I configure the server to deliver intermediate certificates as well?

eingemaischt
OpenVpn Newbie
Posts: 5
Joined: Thu Feb 24, 2022 9:00 am

Re: Use system ca certificates

Post by eingemaischt » Tue Mar 01, 2022 8:30 am

BTW: I am using the android app as client - but the function would be useful in the linux/windows client as well....

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Use system ca certificates

Post by TinCanTech » Tue Mar 01, 2022 2:22 pm

eingemaischt wrote:
Thu Feb 24, 2022 9:06 am
I can create and use x509 SSL vertificates which CAs are included in the system stores..
So can anybody else and then they can use your VPN without your permission.

eingemaischt
OpenVpn Newbie
Posts: 5
Joined: Thu Feb 24, 2022 9:00 am

Re: Use system ca certificates

Post by eingemaischt » Thu Mar 10, 2022 2:11 pm

Hi,

sorry, I was not clear enough: I want to use the system ca store for the authentication of the server to prevent MITM attacks.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Use system ca certificates

Post by TinCanTech » Thu Mar 10, 2022 4:10 pm

I don't know what you really want. Just use Easy-RSA3 to generate your certificates.

eingemaischt
OpenVpn Newbie
Posts: 5
Joined: Thu Feb 24, 2022 9:00 am

Re: Use system ca certificates

Post by eingemaischt » Thu Apr 14, 2022 8:25 am

Sorry. I do have the following problem:

We have about 60 Tablets with openvpn connect.

Our VPN-Server uses a x509 certificate from an "official" (as in: ca-certificate installed on android by default) PKI. We also enrolled the ca certificate with our profile. The authentication of the client is done by pre shared key.

But at the end of 2022 we'll have to change that ca certificate.

We now have three alternatives:
1) Make the app use the androids certificate store for the ca certificate instead. This would be great for transition, because we can roll out the config without changing anything on the server - and without the need to change all configs on all tablets simutaneously.
2) Make the app use a new ca certificate. This would mean that we have to change all configs on all tables simutaneously - or to create a second VPN server during the transition.
3) Make the app accept two ca certificates - all the advantages from 1) + we would be able to change to a self signed cert with LOOOONG lifetime...

Post Reply