[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] distributing keys

  • Subject: Re: [Openvpn-users] distributing keys
  • From: "Dave" <dev@xxxxxxxxxxxxxx>
  • Date: Mon, 13 Aug 2007 18:04:45 -0500
  • Importance: Normal

> What is the procedure for sending certificate signing 
> requests to a Windows PC running OpenVPN 2.0?
> I have everything working ok I can ping the server etc but 
> have no good way of getting the keys to clients. I don't want 
> to send them by email which is a security risk nor by floppy 
> which is to slow.
> I have tried "My Certificate Wizard" with no results. The 
> program creates keys with the .req extension not .csr. Even 
> if it did work I can't find a script that will sign it at the CA.
> I also have notice that all the easy-rsa build scripts for 
> example ./build-req run under linux not windows.

I'm not sure of your situation exactly; are you intending to generate CSRs
on client machines, which happen to be Windows machines, and wanting to send
back the CRT?  Anyway, here are some things that might (or might not) be of

*  The openvpn instructions that refer to using the easy-rsa scripts work by
creating the client's private key and then making a csr that gets signed to
make the client cert.  Then you give these two things (the key and the cert)
to the client.  This would require a secure channel since the private key is
being transported.  This is not necessary, though, and is not typically done
in more rigorous PKI scenarios.  Rather:

*  The client generates their own private/public key pair.
*  the client creates a Certificate Signing Request and sends that to the
CA.  A CSR is the public key (only) and some data fields that would
ultimately be built into the certificate.
*  The CA vets the originator of the request and the info therein contained
*  the CA signs it, which results in the cert.  The CA then send the
resulting cert to the client.
*  This cert can be sent through an unsecure channel, because a cert is your
public key
*  The private key has never left to possession of the client, and has never
been shared with anyone else.

I am guessing this is what you are trying to achieve.  Anyway, your clients
can create their own key pairs and CSR with whatever tool is at their
disposal, since the format is standard.

I believe a CSR proper binary and encoded in DER, but it can also be in PEM.
It looks like the 'My Certificate Wizard" is generating the PEM encoding.

You can sign that csr with openssl on the command line.  I cannot recall the
command offhand, but I think it goes something like:

openssl x509 -CA (file) -CAkey (key) -req (csr filename)

But you'll definitely want to look up the correct syntax on the web.

Personally, I manage my little CA with an app called xca, which I find very
easy to use.


Openvpn-users mailing list