[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Re: HowTo Run OpenVPN as a non-admin user in Windows

  • Subject: Re: [Openvpn-users] Re: HowTo Run OpenVPN as a non-admin user in Windows
  • From: Mathias Sundman <mathias@xxxxxxxxxx>
  • Date: Tue, 25 Jan 2005 17:17:04 +0100 (CET)

On Tue, 25 Jan 2005, Didier Conchaudron wrote:

Mathias Sundman wrote:

Your article shows too that some features are still missing in the field to make openvpn a professional software of choice.

- Full certificate support: actually, the SYSTEM account can't access to users certificates and private keys which are located into IE cert store. People with smart cards are actually unable to use them as users only.

It's still unclear to me whether it's whether the system is supposed to have access to user keys or not though. I though a user key in the CertStore were encrypted with the users password somehow, and therefor only available to that user. Is this not true, or are the keys decrypted when a user logs on so it becomes available to the system as well as long as the user is logged on?

First, when you import a p12 into IeCertStore, you can crypt the p12 so Ie will ask you for the password in order to inmport the p12. But this password is independant of the password protecting the private key. So the p12 password will be asked just one time at import.
If you private key is protected by a password, Ie will not ask you for the password during import, but this password will be asked by the default CSP(a window of Ie in fact) each time an apps need to access to the private key. The process is the same when you use a smart card, the only difference is that the CSP is from your smart card manufacturer, so the password can be a PIN code on the card reader(like mine) or a window on your computer.
A basic non-protected private key imported via p12 into Ie certstore can be accessible via SYSTEM account, I guess. That's the point I need confirmation too.

So, what you're saying is that if I import a non encrypted private key to into the IeCertStore, it will be saved in cleartext on my system?

Again, I thought one of the benefits with using the CryptoStore was that windows protected the key by encrypting it with the normal user logon credentials somehow.

If what you say is true, then an originally unencypted private key imported to the CertStore, can almost as easily as a file, be retrieved from a stolen laptop's harddrive.

Are you sure about that?

Mathias Sundman                  (^)   ASCII Ribbon Campaign
OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
http://www.nilings.se/openvpn    / \   NO Word docs in e-mail

Openvpn-users mailing list