You may have seen a subset of this on forums.openvpn.net; if so, sorry for the dual posting, but I'm new to openvpn. This seems like a better place.
Three cert-related issues:* ** **Documentation:*I got *--cryptoapicert* to work with "SUBJ:" selectors. The documentation for the "SUBJ:" form of the option is a bit lacking.
Consider this subject (as viewed in IE tools->options->content): E = j...@answers.example.net CN = John Smith OU = Group A OU = Department O = Minicorp L = City S = State C = USTo match the whole thing (as John Smith may have more than one cert), one needs: "SUBJ:US, State, City, Minicorp, Department, Group, John Smith, j...@answers.example.net" This is what Microsoft calls a CERT_SIMPLE_NAME_STR - the doc for which is astoundingly opaque.
The required ordering is not what IE presents for the RDN, but one can get it from openssl:
openssl x509 -in john.cer -noout -subjectsubject= /C=US/ST=State/L=City/O=Minicorp/OU=Department/OU=Group/CN=John Smith/emailAddress=j...@answers.example.net
The above is one line, but mail will probably wrap it. I'm not sure if simply reversing the MS presentation is reliable. *BUG: Handling multiple RDN component instances:*Note that this cert's Subject has two OU components (this is quite common). In the environment variables, only one shows up as:
X509_0_OU=Group A (The last OU seen in DN order) Both should be made available in the DN order. E.g. X509_0_OU=Department X509_0_OU.1=Group ANote that pretty much any RDN component can have multiple values, and the order is significant. This applies both to issuers and to subjects.
*Missing feature?*I would like to specify the CA from the microsoft crypto store. (e.g. cryptoapiCAcert) - but I don't see such a directive? Did I miss it? If not, I guess this is a feature request. It would prevent having to distribute some certificates twice: Once in the browser, and once in the client OpenVPN config.
openvpn --versionOpenVPN 2.2.1 arm-linux-gnueabihf [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Oct 12 2013
Originally developed by James Yonan Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sa...@openvpn.net>$ ./configure --build=arm-linux-gnueabihf --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --libexecdir=${prefix}/lib/openvpn --disable-maintainer-mode --disable-dependency-tracking CFLAGS=-g -O2 CPPFLAGS= CXXFLAGS=-g -O2 FFLAGS=-g -O2 LDFLAGS= --enable-password-save --host=arm-linux-gnueabihf --build=arm-linux-gnueabihf --prefix=/usr --mandir=${prefix}/share/man --with-ifconfig-path=/sbin/ifconfig --with-route-path=/sbin/route
Compile time defines: ENABLE_CLIENT_SERVER ENABLE_DEBUG ENABLE_EUREPHIA ENABLE_FRAGMENT ENABLE_HTTP_PROXY ENABLE_MANAGEMENT ENABLE_MULTIHOME ENABLE_PASSWORD_SAVE ENABLE_PORT_SHARE ENABLE_SOCKS USE_CRYPTO USE_LIBDL USE_LZO USE_PF_INET6 USE_PKCS11 USE_SSL
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
