Re: [Freeipa-users] Openvpn and Certificates
On Thu, 02 Apr 2015, Andrew Holway wrote: And et voila! It works! Although it does feel a bit hacky :) I do it the same way as I control my systems and can be sure there is one user per system for VPN access. Works nicely. Is it possible to manage key revocation? I understand that this mechanism is mostly quite broken. How long are you making Certificates valid for? Standard mechanism works fine -- 'ipa cert-revoke'. However, you need to deliver CRL to OpenVPN server because OpenVPN only supports checking CRL from a file system. Theoretically one could make a systemd socket unit that would use 'nc' and curl to pick up CRL from a CA every time OpenVPN asks for it (on each client connection) or provide a cached version of it. An easiest way is to make CRL retrieval periodical and populate whatever directory or file crl-verify is pointed to. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
On Thu, 02 Apr 2015, Andrew Holway wrote: Is it possible to generate certs without the host having an entry in the DNS? Yes. Create a host with 'ipa host-add --force' and then use normal ways to generate certificates for this host. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
Is it possible to generate certs without the host having an entry in the DNS? On 2 April 2015 at 08:55, Andrew Holway wrote: > And et voila! It works! Although it does feel a bit hacky :) >>> >> I do it the same way as I control my systems and can be sure there is >> one user per system for VPN access. Works nicely. >> > > Is it possible to manage key revocation? I understand that this mechanism > is mostly quite broken. How long are you making Certificates valid for? > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
> > And et voila! It works! Although it does feel a bit hacky :) >> > I do it the same way as I control my systems and can be sure there is > one user per system for VPN access. Works nicely. > Is it possible to manage key revocation? I understand that this mechanism is mostly quite broken. How long are you making Certificates valid for? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
On Wed, 01 Apr 2015, Andrew Holway wrote: On 1 April 2015 at 20:02, Nalin Dahyabhai wrote: On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: > I understand from previous discussions that client certificates are not yet > supported in FreeIPA, instead I understand one can use "service > certificates". From an OpenVPN standpoint I'm guessing this is fine because > a vpn client can be entered in Freeipa as a client and a certificate > generated for it. This might actually be a preferred model for VPN. > > My OVPN server config looks like this: > ca ca.crt > cert server.crt > key server.key > # Diffie hellman parameters. > dh dh2048.pem > > I guess I can use the > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" > command to generate the server.crt and private.key and I know where to find > ca.crt however: Unless there are other requirements on the contents of the certificate, I'd expect that to work. ipa service-add-host --hosts ipa.domain.de client/ andrews-macbook-air.local.domain.de ipa-getcert request -f /var/lib/certmonger/requests/Andrews-MacBook-Air.local.crt -k /var/lib/certmonger/requests/Andrews-MacBook-Air.local.key -N CN= andrews-macbook-air.local.domain.de -D andrews-macbook-air.local.domain.de -K client/andrews-macbook-air.local.domain...@domain.de -- Then shuffle the keys and certs around -- -- Restart OpenVPN -- And et voila! It works! Although it does feel a bit hacky :) I do it the same way as I control my systems and can be sure there is one user per system for VPN access. Works nicely. The only issue if you want some systems authenticate with certificates only and others with user/password+OTP. Unfortunately, this combination does not work with OpenVPN as all authentication methods must succeed. There is an option --auth-user-pass-optional that allows core OpenVPN to work without the requirement of passwords but then plugins/scripts must account for it and openvpn-plugin-auth-pam is not aware of that, it seems. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
On Wednesday, April 01, 2015 07:02:56 PM Andrew Holway wrote: > Hello, > > After following Alexanders advice to use sssd/pam for OpenVPN with OTP I > have it all working rather nice but with self signed certificates which is > not ideal. > > (This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP > android app. wtf??!! :) > > I'm scratching around trying to find a way to provide server and client > certificates but, to be honest, my understanding of certificates is not > good enough to be able to take the leap. > > I understand from previous discussions that client certificates are not yet > supported in FreeIPA, instead I understand one can use "service > certificates". From an OpenVPN standpoint I'm guessing this is fine because > a vpn client can be entered in Freeipa as a client and a certificate > generated for it. This might actually be a preferred model for VPN. > > My OVPN server config looks like this: > ca ca.crt > cert server.crt > key server.key > # Diffie hellman parameters. > dh dh2048.pem > > I guess I can use the > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" > command to generate the server.crt and private.key and I know where to find > ca.crt however: > - How about the Diffie hellman parameters? > - Is dh2048.pem just a bunch of shared primes that enable the two parties > to establish encryption together? > - Is it bad If this file is compromised? > > Thanks, > > Andrew https://fedorahosted.org/freeipa/ticket/2915 says it's planned for 4.2, which I'm hoping for, since I want to have more of the certificate functionality of Dogtag exposed. To use all the bells and whistles that OpenVPN can check on certificates, FreeIPA needs to support setting custom parameters on service certificates, which right now, it cannot do. -A -- Anthony - https://messinet.com/ - https://messinet.com/~amessina/gallery 8F89 5E72 8DF0 BCF0 10BE 9967 92DC 35DC B001 4A4E signature.asc Description: This is a digitally signed message part. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
On 1 April 2015 at 20:02, Nalin Dahyabhai wrote: > On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: > > I understand from previous discussions that client certificates are not > yet > > supported in FreeIPA, instead I understand one can use "service > > certificates". From an OpenVPN standpoint I'm guessing this is fine > because > > a vpn client can be entered in Freeipa as a client and a certificate > > generated for it. This might actually be a preferred model for VPN. > > > > My OVPN server config looks like this: > > ca ca.crt > > cert server.crt > > key server.key > > # Diffie hellman parameters. > > dh dh2048.pem > > > > I guess I can use the > > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" > > command to generate the server.crt and private.key and I know where to > find > > ca.crt however: > > Unless there are other requirements on the contents of the certificate, > I'd expect that to work. > ipa service-add-host --hosts ipa.domain.de client/ andrews-macbook-air.local.domain.de ipa-getcert request -f /var/lib/certmonger/requests/Andrews-MacBook-Air.local.crt -k /var/lib/certmonger/requests/Andrews-MacBook-Air.local.key -N CN= andrews-macbook-air.local.domain.de -D andrews-macbook-air.local.domain.de -K client/andrews-macbook-air.local.domain...@domain.de -- Then shuffle the keys and certs around -- -- Restart OpenVPN -- And et voila! It works! Although it does feel a bit hacky :) The GUI has some weird advice that did not make much sense when I did: Actions -> New Certificate: Issue New Certificate for Host andrews-macbook-air.local.domain.de Create a certificate database or use an existing one. To create a new database: # certutil -N -d Create a CSR with subject CN=,O=, for example: # certutil -R -d -a -g -s 'CN= andrews-macbook-air.local.otternetworks.de,O=OTTERNETWORKS.DE' Copy and paste the CSR (from -BEGIN NEW CERTIFICATE REQUEST- to -END NEW CERTIFICATE REQUEST-) into the text area below: > > I see mention in the docs of optionally requiring that a peer > certificate include a particular value in its nsCertType extension > (support for that's not currently planned AFAIK), or a particular value > in its extendedKeyUsage (EKU) extension (there's a ticket [1] for > supporting that), but you're not setting such a requirement above. > > > - How about the Diffie hellman parameters? > > - Is dh2048.pem just a bunch of shared primes that enable the two parties > > to establish encryption together? > > Yes to both. I'm going by the PKI section of the howto [2] and the man > page here. > > > - Is it bad If this file is compromised? > > The howto and man pages say it's not required to be kept secret, and the > secrecy of a key that's generated using DH key agreement doesn't depend > on the parameters being kept secret, so I'd say no. > > HTH, > > Nalin > > [1] https://fedorahosted.org/freeipa/ticket/2915 > [2] https://openvpn.net/index.php/open-source/documentation/howto.html#pki > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Openvpn and Certificates
On Wed, Apr 01, 2015 at 07:02:56PM +0200, Andrew Holway wrote: > I understand from previous discussions that client certificates are not yet > supported in FreeIPA, instead I understand one can use "service > certificates". From an OpenVPN standpoint I'm guessing this is fine because > a vpn client can be entered in Freeipa as a client and a certificate > generated for it. This might actually be a preferred model for VPN. > > My OVPN server config looks like this: > ca ca.crt > cert server.crt > key server.key > # Diffie hellman parameters. > dh dh2048.pem > > I guess I can use the > "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" > command to generate the server.crt and private.key and I know where to find > ca.crt however: Unless there are other requirements on the contents of the certificate, I'd expect that to work. I see mention in the docs of optionally requiring that a peer certificate include a particular value in its nsCertType extension (support for that's not currently planned AFAIK), or a particular value in its extendedKeyUsage (EKU) extension (there's a ticket [1] for supporting that), but you're not setting such a requirement above. > - How about the Diffie hellman parameters? > - Is dh2048.pem just a bunch of shared primes that enable the two parties > to establish encryption together? Yes to both. I'm going by the PKI section of the howto [2] and the man page here. > - Is it bad If this file is compromised? The howto and man pages say it's not required to be kept secret, and the secrecy of a key that's generated using DH key agreement doesn't depend on the parameters being kept secret, so I'd say no. HTH, Nalin [1] https://fedorahosted.org/freeipa/ticket/2915 [2] https://openvpn.net/index.php/open-source/documentation/howto.html#pki -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Openvpn and Certificates
Hello, After following Alexanders advice to use sssd/pam for OpenVPN with OTP I have it all working rather nice but with self signed certificates which is not ideal. (This is actually amazing btw guys. Like wow. The QR-Codes and the OpenOTP android app. wtf??!! :) I'm scratching around trying to find a way to provide server and client certificates but, to be honest, my understanding of certificates is not good enough to be able to take the leap. I understand from previous discussions that client certificates are not yet supported in FreeIPA, instead I understand one can use "service certificates". From an OpenVPN standpoint I'm guessing this is fine because a vpn client can be entered in Freeipa as a client and a certificate generated for it. This might actually be a preferred model for VPN. My OVPN server config looks like this: ca ca.crt cert server.crt key server.key # Diffie hellman parameters. dh dh2048.pem I guess I can use the "ipa-getcert request -f /path/to/server.crt -k /path/to/private.key -r" command to generate the server.crt and private.key and I know where to find ca.crt however: - How about the Diffie hellman parameters? - Is dh2048.pem just a bunch of shared primes that enable the two parties to establish encryption together? - Is it bad If this file is compromised? Thanks, Andrew -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project