OpenVPN with External CA
386 views
Skip to first unread message
nfordhk
Jul 6, 2018, 5:26:33 PM7/6/18
to tunnelbli...@googlegroups.com
I am setting up my first OpenVPN server to integrate with a MFA solution. I installed Easy-RSA on the OpenVPN server, placed the cert and keys in my config file directory and everything works great.
I want to expand on this. I want to use my mPKI CA. I've concatenated my Root & Issuing cert for the "ca <value>" The problem is my cert and key are in my MAC OS key chain.
I've been using this: https://groups.google.com/forum/#!topic/tunnelblick-discuss/yS9UiALeEyA which mention "preferences and the following.
defaults write net.tunnelblick.tunnelblick XYZ-keychainHasPrivateKey -bool YES
How do I perhaps integrate this? Create this preference file and point at my key chain for cert/key? Any config example guide would be greatly appreciated!
Tunnelblick developer
Jul 6, 2018, 5:56:58 PM7/6/18
to tunnelblick-discuss
Tunnelblick does not support the storage/retrieval of certificates or keys in the macOS Keychain.
OpenVPN does not support the storage/retrieval of keys or certificates in the macOS Keychain either. At one time OpenVPN included the ability to do that, but that functionality was removed due to concerns that the code had not been examined for security vulnerabilities.
Certificates can be imbedded inline in the configuration file, can be stored in files that are separate from the configuration file, or can be referenced as "external certificates" using the --management-external-cert option. However, Tunnelblick does not include the functionality which that option needs.
Tunnelblick does support using the macOS keychain to store and retrieve usernames, passwords, and private keys (passphrases that secure a key), and the -keychainHasPrivateKey and similar preferences are booleans (yes/no indicators) that Tunnelblick uses to track if an item is stored in the Keychain. Changing the boolean to a string with a path into your Keychain would not work and the results would be unpredictable.
nfordhk
Jul 6, 2018, 6:40:10 PM7/6/18
to tunnelbli...@googlegroups.com
Thanks so much for your reply! Is this limitation documented somewhere I could review?
nfordhk
Jul 6, 2018, 6:49:18 PM7/6/18
to tunnelblick-discuss
Question. I found this: https://openvpn.net/index.php/access-server/as-advantages.html
API for key storage. This feature improves security of AS because no
OpenVPN client configuration file contains the private key. This support
is configuration-free in the sense that the appropriate certificate and
private key are selected by scanning the keystore for keys signed by the
OpenVPN CA cert. From administrator perspective both MacOS X and Windows
keychains look the same, i.e. their differences have been abstracted away.
5. MacOS X Keychain and Windows Crypto API integration
AS clients fully support the both MacOS X keychain and Windows CryptoAPI for key storage. This feature improves security of AS because no
OpenVPN client configuration file contains the private key. This support
is configuration-free in the sense that the appropriate certificate and
private key are selected by scanning the keystore for keys signed by the
OpenVPN CA cert. From administrator perspective both MacOS X and Windows
keychains look the same, i.e. their differences have been abstracted away.
Tunnelblick developer
Jul 6, 2018, 6:57:59 PM7/6/18
to tunnelblick-discuss
There's no Tunnelblick documentation about it.
That functionality may be added to Tunnelblick in the future, but there are no current plans to do so.
Reply all
Reply to author
Forward
0 new messages