0

I am playing around with AWS ClientVPN which uses OpenVPN profiles.

I am wondering if there is a way to reference an external cert file stored on the computer itself as opposed to embedding the client cert in the OpenVPN profile itself...

E.G store the cert file in ~/Documents and get the OpenVPN config to point to this location for the file?

The issue I'm trying to get over here is that (from my understanding - correct me if I'm wrong) someone can copy the ovpn file with the cert embedded and take it to another machine to use. We are trying to lock down use to company owned devices only with the simplest deployment option...

arrrg
  • 1
  • 1
  • Yes. There's no need to wonder, just read [the manual page](https://openvpn.net/community-resources/reference-manual-for-openvpn-2-0/). Note that it describes what looks like command-line options (and they are!) but every single of them may be specified as directives (w/o the leading dashes) in the configuration file, and they work the same way when read from there. Look for the `-cert` option. – kostix Dec 08 '20 at 09:30
  • And while we're at it, note that you can even tell OpenVPN to use the certificate from the Windows' certificate store — see [this](https://serverfault.com/a/38634/118848) for a start. – kostix Dec 08 '20 at 09:33
  • Thank you - we are using Macs but I'll take a look on the man page! Appreciate it – arrrg Dec 08 '20 at 09:34
  • Oh, gosh, somehow I've interpreted that "`~/Documents` and " bit the wrong way, sorry ;-) – kostix Dec 08 '20 at 09:35
  • Thanks for the help! Works like a charm :) – arrrg Dec 09 '20 at 10:02

1 Answers1

0

Thanks to @kostix for the answer:

Yes. There's no need to wonder, just read the manual page. Note that it describes what looks like command-line options (and they are!) but every single of them may be specified as directives (w/o the leading dashes) in the configuration file, and they work the same way when read from there. Look for the -cert option.

arrrg
  • 1
  • 1