OpenVPN Support Forum

Hi

I have installed an OpenVPN box working with LDAP auth with Novell (working great) and certificates to validate users.
It is working fine, but I have some doubts with the certs.

Every time I need to give access to a new user I follow the steps listed in the OpenVpn How to

- run "vars"
- run build-key %user%

After that process I copy the %user%.crt, %user%.key, ca.crt and the defaultconfig.ovpn (file with the client config).
Again, this works fine, but below my doubts

That cert works on every computer with any user.
So if I create a cert for a user, that user can copy this cert to give access to other people.
But I like to know if there is a way to attach a cert to a user or to a computer.

As You can see I don't have expertise using those certs, so any help is welcome.

Version 1.2.3-RELEASE
built on Sun Dec 6 23:21:36 EST 2009

In short: no.

You've made an important decision in requiring user/password authentication by way of your LDAP service, but client certificates are only as secure as the clients themselves. Unfortunately, it is not an issue that can be solved technically

A similar, if not more important problem that must be addressed periodically, is the shared DH key. It's a functionally fantastic idea: If you do not have this key, you cannot even communicate with the openvpn daemon; however, the more clients have the key the less meaningful its protection becomes.

If you are concerned with the trustworthiness of client certificate holders, you could implement a policy that shortens the lifespan of the client certificates. Without careful planning and customer education, this can become a management nightmare, but if the data behind your firewalls is important enough, such planning would be worth it.

Regards,
Stephen