[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] PKI in LDAP and openvpn

  • Subject: Re: [Openvpn-users] PKI in LDAP and openvpn
  • From: Andrea <arussos@xxxxxxxxxxxxxxxx>
  • Date: Fri, 23 Nov 2007 00:10:45 +0100

Andrew Richardson ha scritto:
> Andrea wrote:
>> Hi Jed, don't know if this is what you want to achieve, but this is what 
>> i realized:
>> I modified EJBCA ( e powerfull java web-based CA ) in order to :
> Can you detail what mods you made, or point to a downloadable version? 
> This sounds interesting!
> ------------------------------------------------------------------------
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> ------------------------------------------------------------------------
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

Hi Andrew, i don't have a complete solution to donwload; i'll try to 
explain what i made:

I followed the excellent job made by Jon Bendstein and some hints given 
me by the developers of EJBCA. If you download a EJBCA stable release 
you'll find ( under the doc directory ) a file called 
“howto-openvpn-ejbca.txt”; “quoting & pasting”.....


This document describes how to use EJBCA to create OpenVPN windows

installer programs using the nsis package. It was developped and

tested under debian.

If you dont need it, you can delete the openvpn directory under

the EJBCA homedir.

Where to find software:

EJBCA http://ejbca.sourceforge.net/

nsis http://nsiss.ourceforge.net/

OpenVPN http://openvpn.net/

Zipfiles with OpenVPN GUIs for windows:



0) You need a working EJBCA installation

1) Install nsis

2) install the needed zipfile for use with nsis

put it in the openvpn directory under the EJBCA homedir.

3) make sure nsis works with the contents of the above zipfile

i had to change 3 letters in the zipfile from openvpn.se


It was in the file called setpath.nsi, which looked for a .NSH

file, but my debian supplied it as a .nsh file. Run it with

makensis openvpn-gui.nsi

4) modify the needed contents of the openvpn-gui.nsi file. The

parts i modify is right after:

# Include your custom config file(s) here.

where i write:

SetOutPath "$INSTDIR\config"

File "${HOME}\config\_-ORGANISATION-_.ovpn"

File "${HOME}\config\_-USER-_.p12"

The _-USER-_ and _-ORGANISATION-_ are later used by the


to replace the _-USER-_ part with the username from EJBCA and

the _-ORGANISATION-_ part are replaced with the O= or OU= part

from the DN (Distinguised Name) from the certificate.

I also modify the Section "Uninstall" to uninstall cleanly

Delete "$INSTDIR\config\*.ovpn"

Delete "$INSTDIR\config\*.p12"

Delete "$INSTDIR\config\*.*"

Delete "$INSTDIR\log\*.*"


RMDir "$INSTDIR\config"

RMDir "$INSTDIR\log"


See more in the nsis documentation.

5) Edit mk_openvpn_windows_installer.sh to suit your needs

Depending on what you want you can make this script use

different configuration files for OpenVPN.

The mk_openvpn_windows_installer.sh script uses the DN,

parts of the DN or the username from EJBCA to choose which

OpenVPN configuration will be included in the .exe file

You can even use different versions of openvpn for different

groups of people.


Then i modified some of the src-files of EJBCA in order to: let the 
final user choose between the generation of a windows-openvpn-installer, 
or the generation of a zip file containing the files to be run on an 
X-system. On the openvpn-server side i used the auth-ldap plugin in 
order to autenticate users against our OpenLDAP. In order to avoid users 
to insert two different password when starting the client ( ejbca use 
file in pkcs12 format encripted with the one-time password generated 
when you add a new user ), i also modified Jon's scripts ( and, again, 
ejbca src-fiels ) in order to de-cript the pkcs12 file before the 
openvpn token is generated; in this way the user must use only the 
openldap password.

So, what i have:

A working PKI infrastructure made up by a CA ( EJBCA ) ; from its webUI 
i create new users ( i.e. manage the creation of openvpn installer both 
on windows pc and Unix ones ); let them download their “token” from an 
https page ; manage from the webui their revocation.

The CA generate every minute a new CRL file and a simple crontab entry 
on the openvpn server make the server aware of the new state of the 

Hope this helps,


Openvpn-users mailing list