Hi,

On 11/08/17 01:02, Gregory Sloop wrote:
Re: [Openvpn-users] Server vs Client cert generation *SK> On 09-08-17 19:34, Gregory Sloop wrote:
>> I also often need to generate certs for other things and GNU TLS's
>> CertTool works pretty well.
>> I'd like to use one tool to generate all the certificates I generally
>> need - it's just easier to keep track of, document etc.

>> However when I go to generate certs for OpenVPN usage with certtool, it
>> appears I have a problem with the "server" attribute.

>> While I have the following in the certs...
>> ---
>>        Extensions:
>>                Basic Constraints (critical):
>>                        Certificate Authority (CA): FALSE
>>                Subject Alternative Name (not critical):
>>                        DNSname: abc-ovpn-server-01
>>                Key Purpose (not critical):
>>                        TLS WWW Server.
>>                Key Usage (critical):
>>                        Key encipherment.
>>                Subject Key Identifier (not critical):
>>                        xxxx
>>                Authority Key Identifier (not critical):
>>                        xxxx
>> ---
>> ...it doesn't appear to be identified as a "server" certificate. [At
>> least in pfsense.]

SK> I have no clue about how to use certtool, but I'll give this a shot.

SK> Do you know what certtool means with "Key purpose"?  Is that it's own
SK> invented name for extendedKeyUsage ?

SK> Also, what are you using to check that this is a "server" certificate?
SK> --remote-cert-tls? or --ns-cert-type?  or something homegrown?

SK> In any case, this certificate seems to miss the digitalSignature
SK> keyUsage, which is required if you want to use TLS cipher suites with
SK> forward secrecy (DH/ECDH).  Modern OpenVPN by default only support
SK> cipher suites by forward secrecy.  So although this has nothing to do
SK> with "server" attributes, it is likely to cause the connection to fail.

*So, follow-up - mostly answering my own questions. [After a boat-load of tinkering and testing...]

I've successfully used CertTool from the GNUTLS project to create the CA, Server and Client certs - and also a CRL. [GNUTLS's CertTool is a CLI tool available under *nix and Windows. My work was all on the Windows platform, using the most current version, which at the time this was written was 3.5.8]

What I haven't managed to do, successfully, yet is to use the OpenVPN client side directive: "remote-cert-tls server"
This really isn't a problem, however. I'll explain that in a moment.

I've not been able to determine what extended certificate attribute fixes this, despite some significant checking. The benefit of "remote-cert-tls server" is so that someone couldn't use another "client" certificate on a MITM server and trick you into connecting to it, instead of the "real" server.

But there are other ways to ensure the same result that don't rely on the "server" extended attribute. Follow along and I'll show you one way that works fine for me.

The docs:
https://openvpn.net/index.php/open-source/documentation/howto.html#mitm
suggest using "tls-remote" which has been *deprecated.* and bombs in recent OpenVPN clients. [Someone ought to update that!]

However, there's a replacement:
--verify-x509-name your-servers-certificate-cn-name-here name
You can also use the whole subject name, if that makes you feel better, or several other options. [See the docs and google for more...]

That option subsequently allows me to not worry about finding the exact proper yet elusive extended-attribute in my certificates - while still allowing for strong verification that I'm connecting to exactly the server I intend.

[If you have several servers, there are other options too, for name matching that will likely help. But this way is far more than adequate for the 99.9% of us running small OpenVPN servers of our own. If you're larger, I'm sure you have the resources to figure it out. If you do, I'd be glad to hear the solution to make CertTool generate the proper "server" certificate.]

you're protecting yourself from different things here:

- "remote-cert-tls server" prevents someone from using a client certificate to pose as a server certificate - "verify-x509-name" ensures that openvpn checks the server name against the certificate name

with the first option, you are not required to have a valid FQDN for your server; the second option is more strict because it allows clients to connect *only* to servers identifying themselves as the FQDN you specify - this tends to not scale very well if you have multiple connection blocks or "remote" entries in your client config files.

---
What's interesting is: pfSense doesn't think the certificates generated by the *EasyRSA* tool are server certs either. [It's possible that pfSense is mistaken - I just found it amusing.]

I also don't recall actually trying them [the EasyRSA certs], even with that warning, using "remote-cert-tls server". When pfSense complained about even the EasyRSA cert not being "server" certs when I added them, I simply gave up. [I didn't really want to use EasyRSA anyway. I was just testing a bunch of different things trying to get the same attributes on CertTool generated certs as EasyRSA does - but without avail.]

---
So, just to document, should anyone else stumble across this - here's the steps to duplicate my work using CertTool. This is, IMO, better than using EasyRSA and *far* less confusing and daunting than OpenSSL's CLI tools. [Holy cow, the OpenSSL tools are more like learning latin or worse - you might get by cut/pasting someone else's work, but you won't likely have a clue what you're doing or why.]

So, here's the process to use CertTool

#Create a CA key, and self sign the certificate using that key.
---
certtool --generate-privkey --outfile ca-key.pem XXXX [Where XXXX is the RSA key size] certtool --generate-self-signed --load-privkey ca-key.pem --outfile ca-cert.pem --template=ca-template.txt [I'll cover this "template" file down the way.]
---

# I have a batch file that generates a temp template file with the cn and DNS names for this cert, and I pass the proper values... I'm glad to share details if you want. # This same procedure generates server or client keys and certs - using a different base "template" for each [server or client]
---
certtool --generate-privkey --outfile %1-key.pem --bits=%2 --template=tempfile2.txt certtool --generate-request --load-privkey %1-key.pem --outfile %1-request.pem --template=tempfile2.txt certtool --generate-certificate --load-request %1-request.pem --outfile %1-cert.pem --load-ca-certificate ca-cert.pem --load-ca-privkey ca-key.pem --template=tempfile2.txt
---

I've tried certtool as well and ended up with a "TLS Web Server" certificate using this cert.cfg file:

---
organization = "Cookbook 2.4"
country = US
cn = "newserver"

#dn = "cn = Nikos,st = New\, Something,C=GR,surName=Mavrogiannopoulos,2.5.4.9=Arkadias"

expiration_days = 1000

tls_www_server

signing_key
encryption_key
---

and 'openssl x509 -text' does indeed give me:

       X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment

which is identical to the output generated for a certificate using EasyRSA's "build-key-server" script.

HTH,

JJK





------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to