On Mon, Jan 29, 2018 at 01:34:37PM +0000, Mike Kelly via FreeIPA-users wrote:
> Hi,
> 
> I'm looking to use FreeIPA's PKI for OpenVPN... any pointers on the right
> way to generate per-user certificates? (Looking to generate certs for
> Android and Chrome OS, so I don't have an easy way to build a CSR on those
> devices directly that I can find; I assume I want to just generate the cert
> & key on the IPA server, copy it securely, then nuke the private key, and
> place the public key somewhere for OpenVPN to find?
> 
Ideally you should generate the keys and create a CSR on the device.
Then use IPA to issue certificates for the user.  But I do not know
enough about Android or Chrome OS to know the best way to do this.

Alternatively you can generate the keys and request the certificates
from a central server, and distribute the keys to users as
(presumably) PKCS #12 files or something similar.

As for the public key, actually you should not need to tell OpenVPN
about the public keys at all.  Rather you should configure OpenVPN
to trust the CA that signed the client certificates.  Again, I do
not know the specifics but man pages should explain it.

HTH,
Fraser

> 
> -- 
> 
> Mike Kelly

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to