Monday, September 22, 2008

Multiple Certificate Authorities on OpenVPN

I lost the CA key for an OpenVPN server I have. Not wanting to modify the configuration on an existing client, possibly taking it down, I realized I just need to use two certificate authorities. At first, I tried putting two CAs in the configuration file, but nothing. Then, I read that the both certificates just have to be in the same file, so the ca.crt file just has two certificates in it.

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----


That was it. Then, I just had to make sure new clients get the double certificate file, as the server's key was signed by the lost CA key.
Posted by at No comments:

OpenVPN and Vista (32 and 64 bit)

Since OpenVPN creates a network interface, it needs essentially a software-backed network driver. Linux uses tun and tap drivers. Windows also uses a tap driver, but it's provided by the OpenVPN project. Back with Windows XP, this wasn't an issue; all installing an unsigned 3rd party required was clicking a "Continue" button. Vista doesn't allow this; it requires signed drivers, but a new certificate authority can be installed, though the process isn't for end users.

Luckily, starting with OpenVPN 2.1, OpenVPN has signed drivers for both 32 and 64 bit versions of Vista. The only headache is noticing that the download page lists the 2.1, a release candidate, between the latest stable version and legacy versions.
Posted by at No comments:
Subscribe to: Posts (Atom)