OpenVPN with smart cards / crypto tokens HOWTO Introduction ...

More documents

Recommendations

Info

OpenVPN with smart cards / crypto tokens HOWTOexport KEY_ORG="Fort-Funston"export KEY_EMAIL="me@myhost.mydomain"Note that we are using 2048 bit keys.By default, all keys will be generated in /etc/openvpn/easy-rsa/keys folder.Install your settings in OpenSSL configuration:source ./varStep 3: clean previous configurationsWarning: this will remove the key directory, including previous CAs and keys.Don't clean your configuration unless you know precisely what you are doing../clean-allStep 4: create a DH keyCreate a shared DH key used to secure key hashing:Warning: on slow computers, this can take 15 minutes../build-dhThis creates a file name dh2048.pem in /etc/openvpn/easy-rsa/keysStep 5: create CAGenerate the Certificate Authority (CA):pkitool --init-caTwo files are created in keys folder:ca.key: CA private key.ca.crt: CA X.509 certificate.Step 6: create server certificateGenerate server key (Moon):$ pkitool --server serverThree files are generated:server.key: server RSA private key.server.crt: Server X.509 certificate.server.csr: Server signing request (no need to keep it).Step 7: create client certificate on diskGenerate client key (Road warrior).The pkcs12 file includes all information, for later import to smartcard.pkitool --pkcs12 clientEnter your password twice to secure the pkcs12 file.Four files are generated:client.key: client RSA private key.client.crt: client X.509 certificate.client.csr: client signing request (no need to keep it).client.p12: PKCS#12 file including RSA private key, X.509 certificate and CA authorityStep 8: transfer client certificates to smartcardNow we need to transfer the PKCS#12 file to the smartcard.All steps are described in the Quickstarter Guide.You may need to:Erase and format the smartcard, adapt PIN code and label.Waring: you will loose all content:$ pkcs15-init -E$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 --label "François Pérou"Copyright GOOZE 2010-2011 http://www.gooze.eu 4 / 8
OpenVPN with smart cards / crypto tokens HOWTOImport client certificate:pkcs15-init --store-private-key client.p12 --format pkcs12 --auth-id 01 --pin 0000Using reader with a card: Feitian SCR301 00 00Please enter passphrase to unlock secret key:Importing 2 certificates:0: /C=FR/ST=95/L=Montmorency/O=GOOZE/CN=client/emailAddress=openvpn@gooze.eu1: /C=FR/ST=95/L=Montmorency/O=GOOZE/CN=GOOZE CA/emailAddress=openvpn@gooze.euNow, dump content of smartcard:$pkcs15-tool --dumpUsing reader with a card: Feitian SCR301 00 00PKCS#15 Card [François Pérou]:Version : 0Serial number : 3023492517080710Manufacturer ID: EnterSafeLast update : 20110416173513ZFlags : EID compliantPIN [User PIN]Object Flags : [0x3], private, modifiableID : 01Flags : [0x32], local, initialized, needs-paddingLength : min_len:4, max_len:16, stored_len:16Pad char : 0x00Reference : 1Type : ascii-numericPath : 3f005015Private RSA Key [Private Key]Object Flags : [0x3], private, modifiableUsage : [0xC], sign, signRecoverAccess Flags : [0x0]ModLength : 2048Key ref : 1 (0x1)Native : yesPath : 3f005015Auth ID : 01ID : fa6642b43f1fffa234062d10de583fd6455a962fGUID : {fa6642b4-3f1f-ffa2-3406-2d10de583fd6}X.509 Certificate [/C=FR/ST=95/L=Montmorency/O=GOOZE/CN=client/emailAddress=openvpn@gooze.eu]Object Flags : [0x2], modifiableAuthority : noPath : 3f0050153100ID : fa6642b43f1fffa234062d10de583fd6455a962fGUID : {fa6642b4-3f1f-ffa2-3406-2d10de583fd6}Encoded serial : 02 01 02X.509 Certificate [/C=FR/ST=95/L=Montmorency/O=GOOZE/CN=GOOZECA/emailAddress=openvpn@gooze.eu]Object Flags : [0x2], modifiableAuthority : yesPath : 3f0050153101ID : efc7893a44c581de8fa476831c46c06c447cf8b1GUID : {efc7893a-44c5-81de-8fa4-76831c46c06c}Encoded serial : 02 09 008085F62ACE424CEDOpenVPN configuration with smartcards on Moon(server)Copy credentials to /etc/openvpn folder:dh2048.pemca.crtserver.crtserver.keyCreate the following file:/etc/openvpn/tun1.confserverdev tun1Copyright GOOZE 2010-2011 http://www.gooze.eu 5 / 8
Page 7 and 8: OpenVPN with smart cards / crypto t

OpenVPN with smart cards / crypto tokens HOWTO Introduction ...

Create successful ePaper yourself

Delete template?

Save as template?