Hello, After following Alexanders advice to use sssd/pam for OpenVPN with OTP I have it all working rather nice but with self signed certificates which is not ideal.
(This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP android app. wtf??!! :) I'm scratching around trying to find a way to provide server and client certificates but, to be honest, my understanding of certificates is not good enough to be able to take the leap. I understand from previous discussions that client certificates are not yet supported in FreeIPA, instead I understand one can use "service certificates". From an OpenVPN standpoint I'm guessing this is fine because a vpn client can be entered in Freeipa as a client and a certificate generated for it. This might actually be a preferred model for VPN. My OVPN server config looks like this: ca ca.crt cert server.crt key server.key # Diffie hellman parameters. dh dh2048.pem I guess I can use the "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" command to generate the server.crt and private.key and I know where to find ca.crt however: - How about the Diffie hellman parameters? - Is dh2048.pem just a bunch of shared primes that enable the two parties to establish encryption together? - Is it bad If this file is compromised? Thanks, Andrew
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project