On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote:
> I understand from previous discussions that client certificates are not yet
> supported in FreeIPA, instead I understand one can use "service
> certificates". From an OpenVPN standpoint I'm guessing this is fine because
> a vpn client can be entered in Freeipa as a client and a certificate
> generated for it. This might actually be a preferred model for VPN.
> 
> My OVPN server config looks like this:
> ca ca.crt
> cert server.crt
> key server.key
> # Diffie hellman parameters.
> dh dh2048.pem
> 
> I guess I can use the
> "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r"
> command to generate the server.crt and private.key and I know where to find
> ca.crt however:

Unless there are other requirements on the contents of the certificate,
I'd expect that to work.

I see mention in the docs of optionally requiring that a peer
certificate include a particular value in its nsCertType extension
(support for that's not currently planned AFAIK), or a particular value
in its extendedKeyUsage (EKU) extension (there's a ticket [1] for
supporting that), but you're not setting such a requirement above.

> - How about the Diffie hellman parameters?
> - Is dh2048.pem just a bunch of shared primes that enable the two parties
> to establish encryption together?

Yes to both.  I'm going by the PKI section of the howto [2] and the man
page here.

> - Is it bad If this file is compromised?

The howto and man pages say it's not required to be kept secret, and the
secrecy of a key that's generated using DH key agreement doesn't depend
on the parameters being kept secret, so I'd say no.

HTH,

Nalin

[1] https://fedorahosted.org/freeipa/ticket/2915
[2] https://openvpn.net/index.php/open-source/documentation/howto.html#pki

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to