Not familiar with --outform argument. Will have to look into it.
Presume you are doing site to site/network to network? Or are you setting this up for end users to terminate to?
I've done the latter many many times, but not net to net. Happy to provide docs if you/nanog like.
I think that everyone should run a vpn to secure remote access to services they are operating.
You integrating this with an existing ski infrastructure? If so is it openssl based?
Or maybe ad based?
Lots of openvpn variables.... Might be worth starting a new thread on the subject. As I said, I feel its vital for folks to have a deep familiarity with openvpn and best practices etc.
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
server
ca.crt
server.crt
server.key
client
ca.crt
client.crt
client.key
and i presume i have to dump all client.crt files in the server's
../openvpn dir, but under what names? or does it just wantonly trust
anyone under that ca?
randy
Randy Bush wrote:
end user to network
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
server
ca.crt
server.crt
server.key
client
ca.crt
client.crt
client.key
and i presume i have to dump all client.crt files in the server's
../openvpn dir, but under what names? or does it just wantonly trust
anyone under that ca?
randy
What error is getting logged?
They are just normal cert's and should be in the keys directory under openvpn's user directory.
OpenVPN includes scripts that can make the certificates for you under the directory easy-rsa
Use the easy-rsa stuff and it will do all the hard work for you.
http://openvpn.net/index.php/open-source/documentation/howto.html
Scott
having probs with certs, i.e. what --outform it wants. not finding in
docs. tried raw, but now guessing pem. same for client and server
Use the easy-rsa stuff and it will do all the hard work for you.
How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN
we have a pki we know and love
but i am trying/disecting easy-rsa to see what it is doing
randy
having probs with certs, i.e. what --outform it wants.
They are just normal cert's
just normal certs can be text, pem, der, ...
randy
Any cert signed by that CA. Use --cclient-config-dir to limit which CNs are acceptable, and to add custom configs per client on the server. On the client, use --tls-remote to limit which CN the client will accept when connecting to the server.
On the server, you can also roll your own script to inspected the certificate presented by the client, and act on that.
Stefan