[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] PKI in LDAP and openvpn

  • Subject: [Openvpn-users] PKI in LDAP and openvpn
  • From: Rek Jed <rekjed@xxxxxxxxx>
  • Date: Thu, 22 Nov 2007 00:45:38 +0000


I'm currently setting up an openvpn server to support approx. 500
users.  Previously I did a few smaller installations (10-30 clients)
where I used easy rsa to generate keys, sign them and distribute to
users manually.  Now my users need to be able to create and revoke vpn
certs themselves through a web portal.  I'm not sure how to design the
infrastructure to make it easy for them to use and for me to manage.

This is what I currently have in mind.  I'm thinking about storing my
ca key, ca cert, crl and user certs in LDAP. The user would need to
generate a key on his machine and upload the csr to the portal.  The
portal would then sign it, store a copy of the cert in LDAP and give
the other copy to the user.

Another way of doing this could be storing already generated keys and
signed certs in LDAP and just hand them out to users via the portal
when they make a request.  This would be easier as they wouldn't need
to generate any keys, just extract a zip file in the right place.  But
less secure as the private key needs to be transmitted.

If I store the crl in LDAP will openvpn be able to use it directly or
will I need a local copy in a file?.  I don't expect to have all users
connected at the same time, but it's also worth asking if there are
any scalability issues when you hit a certain number of concurrent

I've not implemented anything like this before and I'm not sure
whenever any of the above is actually possible.  I would love to hear
how others are doing this and would greatly appreciate any feedback.
Both the openvpn server and web portal run on freebsd and clients are
mostly macs and windows boxes.

Many Thanks,

OpenVPN mailing lists