OpenVPN has the capability of using the Windows CryptoAPI store to retrieve the public and private key needed for setting up a connection. This improves security somewhat, as the CryptoAPI store is more secure than the plaintext .crt
and .key
files that are normally used to set up an OpenVPN connection.
In this recipe, we will configure an OpenVPN client to retrieve the required information from the CryptoAPI store when connecting to the server. This recipe was tested on Windows 7, but it will also work on other versions of Windows.
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 7 SP1 and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf
, from the Server-side routing recipe in Chapter 2, Client-server IP-only Networks at hand.
client2.crt
and client2.key
files to PKCS12 format. Open a Windows command shell and change the directory to the location where these files are located:[winclient]C:> cd C:Program FilesOpenVPNconfig [winclient]C:Program FilesOpenVPNconfig>..inopenssl pkcs12 -export -in client2.crt -inkey client2.key -out client2.p12 Enter pass phrase for client2.key: [existing password] Enter Export Password: [new export password] Verifying - Enter Export Password: [repeat export password]
[winclient]C:Program FilesOpenVPNconfig>start client2.p12
The certificate import wizard will start.
If you select the Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option checkbox, the certificate and private key are even better protected, but you will be required to retype the password every time OpenVPN starts.
client proto udp remote openvpnserver.example.com port 1194 dev tun nobind remote-cert-tls server tls-auth "c:/program files/openvpn/config/ta.key" 1 ca "c:/program files/openvpn/config/ca.crt" cryptoapicert "SUBJ:Client2"
example9-4.ovpn
. Start the server:[root@server]# openvpn --config basic-udp-server.conf
The VPN connection should be established without asking for a private key password. If the CryptoAPI option, Enable strong private key protection, was enabled, a separate dialog will pop up to ask for the CryptoAPI password.
The Windows OpenVPN client software is capable of extracting a certificate and public key from the Windows CryptoAPI store if either the certificate subject name is specified using the keyword, SUBJ:
, or if the certificate thumbprint or fingerprint is specified using the keyword, THUMB:
. After retrieving the certificate and private key from the CryptoAPI store, the VPN connection is established in exactly the same manner as if a plaintext certificate and private key files had been used.
There are several small yet important details when using the Windows CryptoAPI store. We will cover this in the following sections.
Note that it is still required to specify the CA certificate using the following line:
ca c:/program files/openvpn/config/ca.crt
In theory, it would be possible to also retrieve the CA certificate from the CryptoAPI store, but this is currently not implemented in OpenVPN. Also, note that the CA certificate file needs to contain the certificate authority that was used to sign the server-side certificate, not the client-side certificate.
Instead of supplying cryptoapicert SUBJ:<subject name>
, it is also possible to specify cryptoapicert THUMB:<fingerprint>
.
The fingerprint or thumbprint of an X509 certificate can be retrieved both by either looking up the Thumb
property for the imported certificate in the Windows Certificate store or by typing the OpenSSL command:
C:Program FilesOpenVPNconfig>..inopenssl x509 -fingerprint -noout -in client2.crt SHA1 Fingerprint=91:93:72:7D:0D:D7:33:58:81:DA:DE:2C:17:1E:36:43:58:40:BF:50
18.224.54.120