[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] PKI in LDAP and openvpn

  • Subject: Re: [Openvpn-users] PKI in LDAP and openvpn
  • From: Andrea <arussos@xxxxxxxxxxxxxxxx>
  • Date: Fri, 23 Nov 2007 15:32:30 +0100

Rek Jed ha scritto:
> Hi Andrea,
> Andrea wrote:
>> Hi Jed, don't know if this is what you want to achieve, but this is 
>> what i realized:
>> I modified EJBCA ( e powerfull java web-based CA ) in order to :
>> 1) Create the CA for the openvpn server-client setup from the webUI
>> 2) Create openvpn client installer for Windows clients and for Unix 
>> clients (the system send an e-mail to clients pointing them to an 
>> https page where they can select and download the proper installer 
>> built with the correct client credential and config file ); the 
>> e-mail contain the username and a one-time password
>> 3) The user is then autenticated on our OpenLDAP ( the correct 
>> password is given to the user by phone )
>> Ejbca use pkcs12 token type, so i use openvpn 2.1. Ejbca is olso 
>> configured to create a CRL file in pem format every minute .
>> All you have to do to create a new openvpn client is to go to the 
>> webUI and "add new entity"; this force the CA to send the above 
>> e-mail to the user ( the user must have a valid mail address ); also 
>> when you want to revoke a certificate you "revoke and delete" the 
>> user from the webUI, wait a minute and the openvpn server ( which 
>> must download the crl.pem file ) will learn that the user is no 
>> longer valid.
> This sounds very interesting but EJNCA seems to be a bit of an 
> overkill for what I'm trying to do.  My client has a web portal 
> already, to which I need to integrate OpenVPN management.  Ideally 
> users should be able to request (and revoke) OpenVPN access from the 
> portal an the portal should either issue them with a certificate (if i 
> go for key generated by the user approach) or let them download the 
> key and crt in on go (in this case the key would be generated on the 
> portal or taken from a pool of ready made keys stored in LDAP). If 
> this is possible, it should be relatively easy to implement with a few 
> scripts and a simple LDAP setup.   The whole process must be 
> automated. Generating custom windows installers seems like a good 
> idea, I'll investigate nsis.
> Thanks for the reply,
> Rek
I understend; if you choose to "use" the web portal already present i 
think you''ll have to modify some of the pages whit two choices:
1) Set up a CA for openvpn-server side on the server where the portal 
reside and then add scripts to permit clients to request and revoke 
their certificates
2) Setup an openvpn server on a second machine and use scripts to grab 
all informations from there

Keep in mind that EJBCA has the opportunity of generating an keep PKI 
tokens directly on LDAP. All the choices above are, as my opinion, not 
so simple and rapid; so, probably, a custom setup with EJBCA linked on 
the web portal of your client would be the third choice you could run.
OpenVPN mailing lists