[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] PKI in LDAP and openvpn

  • Subject: Re: [Openvpn-users] PKI in LDAP and openvpn
  • From: Andrea <arussos@xxxxxxxxxxxxxxxx>
  • Date: Thu, 22 Nov 2007 14:24:09 +0100

Rek Jed ha scritto:
> Hi,
> I'm currently setting up an openvpn server to support approx. 500
> users.  Previously I did a few smaller installations (10-30 clients)
> where I used easy rsa to generate keys, sign them and distribute to
> users manually.  Now my users need to be able to create and revoke vpn
> certs themselves through a web portal.  I'm not sure how to design the
> infrastructure to make it easy for them to use and for me to manage.
> This is what I currently have in mind.  I'm thinking about storing my
> ca key, ca cert, crl and user certs in LDAP. The user would need to
> generate a key on his machine and upload the csr to the portal.  The
> portal would then sign it, store a copy of the cert in LDAP and give
> the other copy to the user.
> Another way of doing this could be storing already generated keys and
> signed certs in LDAP and just hand them out to users via the portal
> when they make a request.  This would be easier as they wouldn't need
> to generate any keys, just extract a zip file in the right place.  But
> less secure as the private key needs to be transmitted.
> If I store the crl in LDAP will openvpn be able to use it directly or
> will I need a local copy in a file?.  I don't expect to have all users
> connected at the same time, but it's also worth asking if there are
> any scalability issues when you hit a certain number of concurrent
> connections?
> I've not implemented anything like this before and I'm not sure
> whenever any of the above is actually possible.  I would love to hear
> how others are doing this and would greatly appreciate any feedback.
> Both the openvpn server and web portal run on freebsd and clients are
> mostly macs and windows boxes.
> Many Thanks,
> Rek
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
Hi Jed, don't know if this is what you want to achieve, but this is what 
i realized:

I modified EJBCA ( e powerfull java web-based CA ) in order to :
1) Create the CA for the openvpn server-client setup from the webUI
2) Create openvpn client installer for Windows clients and for Unix 
clients (the system send an e-mail to clients pointing them to an https 
page where they can select and download the proper installer built with 
the correct client credential and config file ); the e-mail contain the 
username and a one-time password
3) The user is then autenticated on our OpenLDAP ( the correct password 
is given to the user by phone )

Ejbca use pkcs12 token type, so i use openvpn 2.1. Ejbca is olso 
configured to create a CRL file in pem format every minute .
All you have to do to create a new openvpn client is to go to the webUI 
and "add new entity"; this force the CA to send the above e-mail to the 
user ( the user must have a valid mail address ); also when you want to 
revoke a certificate you "revoke and delete" the user from the webUI, 
wait a minute and the openvpn server ( which must download the crl.pem 
file ) will learn that the user is no longer valid.


Openvpn-users mailing list