On Wednesday, April 01, 2015 07:02:56 PM Andrew Holway wrote:
> Hello,
> After following Alexanders advice to use sssd/pam for OpenVPN with OTP I
> have it all working rather nice but with self signed certificates which is
> not ideal.
> (This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP
> android app. wtf??!! :)
> I'm scratching around trying to find a way to provide server and client
> certificates but, to be honest, my understanding of certificates is not
> good enough to be able to take the leap.
> I understand from previous discussions that client certificates are not yet
> supported in FreeIPA, instead I understand one can use "service
> certificates". From an OpenVPN standpoint I'm guessing this is fine because
> a vpn client can be entered in Freeipa as a client and a certificate
> generated for it. This might actually be a preferred model for VPN.
> My OVPN server config looks like this:
> ca ca.crt
> cert server.crt
> key server.key
> # Diffie hellman parameters.
> dh dh2048.pem
> I guess I can use the
> "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r"
> command to generate the server.crt and private.key and I know where to find
> ca.crt however:
> - How about the Diffie hellman parameters?
> - Is dh2048.pem just a bunch of shared primes that enable the two parties
> to establish encryption together?
> - Is it bad If this file is compromised?
> Thanks,
> Andrew

https://fedorahosted.org/freeipa/ticket/2915 says it's planned for 4.2, which 
I'm hoping for, since I want to have more of the certificate functionality of 
Dogtag exposed.  To use all the bells and whistles that OpenVPN can check on 
certificates, FreeIPA needs to support setting custom parameters on service 
certificates, which right now, it cannot do.  -A

Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery
8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E

Attachment: signature.asc
Description: This is a digitally signed message part.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to