After following Alexanders advice to use sssd/pam for OpenVPN with OTP I
have it all working rather nice but with self signed certificates which is
not ideal.

(This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP
android app. wtf??!! :)

I'm scratching around trying to find a way to provide server and client
certificates but, to be honest, my understanding of certificates is not
good enough to be able to take the leap.

I understand from previous discussions that client certificates are not yet
supported in FreeIPA, instead I understand one can use "service
certificates". From an OpenVPN standpoint I'm guessing this is fine because
a vpn client can be entered in Freeipa as a client and a certificate
generated for it. This might actually be a preferred model for VPN.

My OVPN server config looks like this:
ca ca.crt
cert server.crt
key server.key
# Diffie hellman parameters.
dh dh2048.pem

I guess I can use the
"ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r"
command to generate the server.crt and private.key and I know where to find
ca.crt however:
- How about the Diffie hellman parameters?
- Is dh2048.pem just a bunch of shared primes that enable the two parties
to establish encryption together?
- Is it bad If this file is compromised?


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to