[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] PKI in LDAP and openvpn

  • Subject: Re: [Openvpn-users] PKI in LDAP and openvpn
  • From: Rek Jed <rekjed@xxxxxxxxx>
  • Date: Fri, 23 Nov 2007 13:22:36 +0000

Hi Andrea,

Andrea wrote:
> Hi Jed, don't know if this is what you want to achieve, but this is what 
> i realized:
> I modified EJBCA ( e powerfull java web-based CA ) in order to :
> 1) Create the CA for the openvpn server-client setup from the webUI
> 2) Create openvpn client installer for Windows clients and for Unix 
> clients (the system send an e-mail to clients pointing them to an https 
> page where they can select and download the proper installer built with 
> the correct client credential and config file ); the e-mail contain the 
> username and a one-time password
> 3) The user is then autenticated on our OpenLDAP ( the correct password 
> is given to the user by phone )
> Ejbca use pkcs12 token type, so i use openvpn 2.1. Ejbca is olso 
> configured to create a CRL file in pem format every minute .
> All you have to do to create a new openvpn client is to go to the webUI 
> and "add new entity"; this force the CA to send the above e-mail to the 
> user ( the user must have a valid mail address ); also when you want to 
> revoke a certificate you "revoke and delete" the user from the webUI, 
> wait a minute and the openvpn server ( which must download the crl.pem 
> file ) will learn that the user is no longer valid.

This sounds very interesting but EJNCA seems to be a bit of an overkill 
for what I'm trying to do.  My client has a web portal already, to which 
I need to integrate OpenVPN management.  Ideally users should be able to 
request (and revoke) OpenVPN access from the portal an the portal should 
either issue them with a certificate (if i go for key generated by the 
user approach) or let them download the key and crt in on go (in this 
case the key would be generated on the portal or taken from a pool of 
ready made keys stored in LDAP). If this is possible, it should be 
relatively easy to implement with a few scripts and a simple LDAP setup. 
   The whole process must be automated. Generating custom windows 
installers seems like a good idea, I'll investigate nsis.

Thanks for the reply,


Openvpn-users mailing list