Reliable TLS whitelist for use with commercial CA certs?

leocomerford · Post by **leocomerford** » Fri May 20, 2011 2:42 am

I would like to set up an OpenVPN server to use server and client certificates signed by a commercial CA instead of self-signed certs. (At present, all the server and client certs have been signed by the same commercial CA, but that might change in future.) But (as is usual) I only want to allow approved clients to connect, and not anyone with a certificate signed by the commercial CA cert(s) I add to the approved certificates. I don't want to rely on a second form of identification like a user/password challenge: I want the server to just reject certificates which are not on a whitelist maintained by me. Similarly, it will of course be necessary to make sure that the clients will only accept the right server cert.

I'd rather use OpenVPN 2.1 (since that's what's standard with the current Ubuntu, 11.04). Obviously I'll consider installing 2.2 if it's going to help fix my problem. But comparing the 2.1 and 2.2 manpages doesn't suggest that there are any relevant differences.

The obvious solution would be to use a verify-cn whitelist, except that verify-cn only checks Common Names, and afaict there's no guarantee that all the people/organisations who are issued certificates by a particular commercial CA will each have a unique CN in their certs, let alone that any two different people/organisations with certificates signed by two different big-name CAs will each have two different CNs on their certs. (Is this correct?) It seems to be necessary to whitelist on Distinguished Name, or perhaps SubjectAltName or something. Is there an official OpenVPN script or plugin to do this, or at least a widely-adopted one? I'd rather not have to roll my own --tls-verify script: partly out of laziness, but partly for security reasons. I'd prefer not to take a chance on getting it right with a roll-your-own solution, especially since I'm no expert on PKI. If I do have to roll my own, what set of fields should I inspect to get a unique ID and how?

Post by **janjust** » Fri May 20, 2011 6:47 am

you could use certificate chains
https://community.openvpn.net/openvpn/w ... ate_Chains
which circumvents the need for a custom verify-tls script.

There is no "standard" verify-tls script for this, as you need to verify the entire certificate chain . I often use a script which only verifies the certificate DN , but this can easily be spoofed using another sub-CA which is signed by the same commercial CA.

leocomerford · Post by **leocomerford** » Sat May 21, 2011 12:21 am

janjust wrote:you could use certificate chains
https://community.openvpn.net/openvpn/w ... ate_Chains
which circumvents the need for a custom verify-tls script.

Thank you; but I have to admit I don't get how chains can be used to substitute for a whitelist in this case. Could I ask you to explain a bit further?

Post by **janjust** » Sat May 21, 2011 1:59 pm

hmm I may have been a bit too hasty: you can use certificate chains if you set up a sub-CA which is signed on the commercial CA. You could then hand out client certificates which are signed by this sub-CA.
If you want to accept pretty much "random" certificates from a commercial CA then you need a 'tls-verify' script which verifies the certificate chain for each user cert that you want to allow, i.e. it needs to know

Code: Select all

certificate DN
  |-- signed by (sub)CA1
     |-- signed by (sub)CA2
         |-- signed by commercial CA

OpenVPN Support Forum

Reliable TLS whitelist for use with commercial CA certs?

Reliable TLS whitelist for use with commercial CA certs?

Re: Reliable TLS whitelist for use with commercial CA certs?

Re: Reliable TLS whitelist for use with commercial CA certs?

Re: Reliable TLS whitelist for use with commercial CA certs?