Greetings,
While reading through the "Mastering OpenVPN" book, I came across the
following bit of text in the PKI section:
*"Just like server certificates, clients can be authenticated using
client-specific certificates. With this method, each client can be required
to have a unique certificate. The certificate Common Name (CN) can be used
to determine other parameters to be pushed on a given connection via
client-connect scripts or the client-config-dir option. As of OpenVPN
2.3.7, there is still support for –client-cert-not-required. There has been
talk of removing this support from a future release.
client-cert-not-required allows a client to connect without a unique (or
any) predefined certificate, much as a web browser would connect to a web
server."*
I am using username/password authentication with an LDAP backend to avoid
having to generate a certificate for each client, but it seems that having
client certs is generally recommended.
It seems the only way to get around having client certificates for each
person, but also not enabling `client-cert-not-required`, is to have every
user use one client certificate, and enable `duplicate-cn` in the server
configuration.
Is there another method I haven't thought of?
--
Scott Crooks (王虎)
LinkedIn: http://www.linkedin.com/in/jshcrooks
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
