6

I want to setup OpenVPN server for my personal usage. I own domain and I have valid SSL certificate for this domain (issued by StartSSL).

At the beginning of the setup instructions for OpenVPN there's a section describing generation of my own certificate authority used later to issue self-signed certificates.

I wonder if I can use my existing SSL certificate for that purpose? Do I have any advantages doing that?

For example I used this certificate for mail server SSL and mail clients do not complain about self-signed certificates. Do OpenVPN clients use well known root certificates to check server's certificate or they do not employ this infrastructure and self-signed certificate will work fine?

vbezhenar
  • 261
  • 1
  • 3
  • 10
  • 1
    You _can_, although it needs a little bit of play. – peterh Sep 01 '14 at 08:41
  • You can, easily enough, but one does wonder why? – womble Oct 23 '15 at 23:21
  • WWW and SMTP clients do not like self-signed certificates, it's better to use proper certificate. I thought that the same was true for OpenVPN. It turned out, that it's completely different protocol with different approach to trust chains. – vbezhenar Oct 24 '15 at 15:51

4 Answers4

7

How are you planning on doing client authentication? Are you planning on doing cert-based client authentication, or something else?

I wonder if I can use my existing SSL certificate for that purpose? Do I have any advantages doing that?

Yes you probably could get away with re-using a certificate, so long as your cert subject value matches the name of your OpenVPN server.

This is almost certainly a bad idea though. There are little or no advantages to do it. You will probably make things more difficult and confusing for yourself if you try and you aren't very well versed in how PKI works.

In any case, for your first VPN server I strongly suggest following the guide as it is written before you try doing anything fancy with external CAs, or 3rd party certificates. OpenVPN is extremely flexible, but it is best to stick with the standard method to start.

Do OpenVPN clients use well known root certificates to check server's certificate or they do not employ this infrastructure and self-signed certificate will work fine?

Generally when setting open OpenVPN clients you give the client the CA cert in addition the suggested configuration.

Zoredache
  • 130,897
  • 41
  • 276
  • 420
  • It does make a difference if you want to connect an Android client. In that case, if you use a custom CA, you'll have to install its certificate into the Android root store, which results in Android popping up this annoying notification about “your network being monitored by an unknown third party” every now and then, which is impossible to get rid of. – koniiiik Sep 25 '15 at 12:01
7

While this answer is much later than your original question, your question is the first link that came up when I googled OpenVPN StartSSL and I hope my experience can help someone else who is trying to do the same thing.

With a bit of playing around, I have been able to get OpenVPN working with free StartSSL server and client certificates with one year validity.

StartSSL does not allow its Web Server SSL/TLC Certificates to be used on the client side, so I generated multiple S/MIME and Authentication Certificates (using email+[clientname]@[mydomainname]) and exported them from the browser.

I had to convert the S/MIME and Authentication Certificates from pfx file types to keys and certificates using openssl. I followed this guide.

Then I had to combine the client key and various keys/certificates together into an OVPN file (I used a ta key too). I adapted someone else's script to do this from the command-line. Code here.

I was originally stumped by certificate verification errors, particularly:

VERIFY ERROR: depth=0, error=unable to get local issuer certificate

For me, the key was downloading ca.pem, sub.class1.server.ca.pem and sub.class1.client.ca.pem from StartSSL then combining the three:

cat ca.pem sub.class1.server.ca.pem sub.class1.client.ca.pem > ca-COMBINED.pem

I used this in my server.conf for OpenVPN and chocks were away!

Dave Ingerslev
  • 71
  • 1
  • 2
0

No, you cannot use your issued certificate like that. OpenVPN works by allowing you to issue certificates signed by an authority your server is configured to trust, thus the need to set up your own CA. Each client needs their own unique certificate, and they don't complain about self-signed if configured properly.

Nathan C
  • 15,059
  • 4
  • 43
  • 62
  • 1
    Though OpenVPN strongly suggests certificate based auth for clients, it isn't strictly required (`--client-cert-not-required`). You can skip that, and use some other (weaker) form of authentication. – Zoredache Aug 31 '14 at 03:16
  • 2
    This answer is just flat-out *wrong*. – womble Oct 23 '15 at 23:20
  • The OP hasn't been on the site in months. Should we move the designated answer or de-designate this *wrong* answer? – chicks Oct 24 '15 at 13:20
0

I just set this up after setting this up a year and ago and forgetting how to do it, so it's fresh in my mind. Anyway:

(1) load the various certs etc into your OpenVPN server. That's the various certs and keys that you got from your issuer. The cert used for the server should have the CN as the hostname of the server that's used on the outside. (Depending on the server software you may have to concatenate all the various .crt files from the issuer as well and load them into the server.)

(2) combine all the .crt files from the issuer into a big file via cat. I have a Comodo cert, so built it like this:

cat AddTrustExternalCARoot.crt COMODORSAAddTrustCA.crt COMODORSADomainValidationSecureServerCA.crt > all.crt

(3) put that big file of certs as the ca section. If you want to inline it, use --certificates--. If you're using a separate file you can use ca=

(4) create some random client cert and key. This assumes you want to use password authentication, which is what I'm doing.

(5) put the client cert and key into the conf file, either inline or as cert= and key=.

(6) try it.

The reason you do this is because you have a server running multiple services that you're multiplexing. Installing your own CA into all your clients is ridiculous, especially if you're setting up a "family and friends" server.

manny veloso
  • 21
  • 2