2

I've setup an OpenVPN server on Debian/jessie, that uses user/password authentication (obtained via LDAP) to grant my users access to the VPN.

The setup deliberately does not use client certificates.

Of course, the server does have a certificate with the hostname vpn.example.com as the subject.

To initiate the TLS session, the server and the clients share a common CA, which is used to sign the server's certificate.

Until now, I've setup my own PKI to sign my own server certificates, and shared my own public CA-key with all the clients.
This strikes me as cumbersome, since I will have to hand out a new CA certificate to all the clients, whenever the certificate expires. It also requires me to hand out at least two files: the configuration itself and the accompanying certificate, which makes deployment by the users more error prone (as opposed to a simple: "copy this config file into that directory").

Instead, I would like to use some public, well-known PKI (e.g. lets-encrypt/ACME) to sign my server's certificate. Since all the clients already do accept lets-encrypt, this should allow clients to authenticate with only their username/password (and no "token"-like CA-key).

Unfortunately, it seems that OpenVPN requires an explicit CA-certificate (both on the server and the client side).

Is there a way to make openvpn trust a server certificate if it was signed by some CA that is already trusted system-wide?

umläute
  • 499
  • 1
  • 7
  • 26
  • Why not create your CA with a hundred-year lifespan, if that's what worries you? – MadHatter May 08 '17 at 14:19
  • for starters: because it's much easier to hand out a single configuration file than a collection of conffiles and certs. – umläute May 08 '17 at 14:33
  • I hand out a single tarfile, but there you go. I think you have a fair point, but you might want to mention it in your question. – MadHatter May 08 '17 at 14:52
  • @MadHatter updated the question (and I'm handing out a single zip-file, btw; but still...) – umläute May 08 '17 at 15:00
  • I suspect that OpenVPN's mutual TLS implementation wants a private CA for an additional depth of defense: since the server only accepts clients signed by that CA, using a private CA ensures the clients are _yours_ instead of _any others_ that could be signed by a public CA without your consent. – bishop Mar 28 '23 at 17:57
  • as said in the question: "The setup deliberately does not use client certificates." so i think this is moot. – umläute Mar 28 '23 at 19:04

0 Answers0