Windows - using the CryptoAPI store

OpenVPN has the capability of using the Windows CryptoAPI store to retrieve the public and private key needed for setting up a connection. This improves security somewhat, as the CryptoAPI store is more secure than the plaintext .crt and .key files that are normally used to set up an OpenVPN connection.

In this recipe, we will configure an OpenVPN client to retrieve the required information from the CryptoAPI store when connecting to the server. This recipe was tested on Windows 7, but it will also work on other versions of Windows.

Getting ready

Set up the client and server certificates using the first recipe from Chapter 2Client-server IP-only Networks. For this recipe, the server computer was running CentOS 6 Linux and OpenVPN 2.3.11. The client computer was running Windows 7 SP1 and OpenVPN 2.3.11. Keep the configuration file, basic-udp-server.conf, from the Server-side routing recipe in Chapter 2Client-server IP-only Networks at hand.

How to do it...

  1. First, we need to import the client certificate into the CryptoAPI store. In order to do that we must convert the existing client2.crt and client2.key files to PKCS12 format. Open a Windows command shell and change the directory to the location where these files are located:
    [winclient]C:> cd C:Program FilesOpenVPNconfig
    [winclient]C:Program FilesOpenVPNconfig>..inopenssl 
            pkcs12
        -export -in client2.crt -inkey client2.key -out client2.p12
    Enter pass phrase for client2.key: [existing password]
    Enter Export Password: [new export password]
    Verifying - Enter Export Password: [repeat export password]
    
  2. Next, import the PKCS12 file into the Windows CryptoAPI store:
    [winclient]C:Program FilesOpenVPNconfig>start client2.p12
    

    The certificate import wizard will start.

  3. Click on Next on the first screen and again click on Next on the second screen. Then, you must supply the export password from the previous step:
    How to do it...

    If you select the Enable strong private key protection. You will be prompted every time the private key is used by an application if you enable this option checkbox, the certificate and private key are even better protected, but you will be required to retype the password every time OpenVPN starts.

  4. Click on Next. In the next screen, select the default option, Automatically select the certificate store, and click on Next once more. By clicking on Finish in the next screen, the certificate import is completed.
    How to do it...
  5. Create the client configuration file:
            client 
            proto udp 
            remote openvpnserver.example.com 
            port 1194 
     
            dev tun 
            nobind 
     
            remote-cert-tls server 
            tls-auth "c:/program files/openvpn/config/ta.key" 1 
            ca          "c:/program files/openvpn/config/ca.crt" 
            cryptoapicert  "SUBJ:Client2" 
    
  6. Save the configuration file as example9-4.ovpn. Start the server:
    [root@server]# openvpn --config basic-udp-server.conf
    
  7. Start the VPN connection using the OpenVPN GUI.

The VPN connection should be established without asking for a private key password. If the CryptoAPI option, Enable strong private key protection, was enabled, a separate dialog will pop up to ask for the CryptoAPI password.

How it works...

The Windows OpenVPN client software is capable of extracting a certificate and public key from the Windows CryptoAPI store if either the certificate subject name is specified using the keyword, SUBJ:, or if the certificate thumbprint or fingerprint is specified using the keyword, THUMB:. After retrieving the certificate and private key from the CryptoAPI store, the VPN connection is established in exactly the same manner as if a plaintext certificate and private key files had been used.

There's more...

There are several small yet important details when using the Windows CryptoAPI store. We will cover this in the following sections.

The CA certificate file

Note that it is still required to specify the CA certificate using the following line:

ca c:/program files/openvpn/config/ca.crt 

In theory, it would be possible to also retrieve the CA certificate from the CryptoAPI store, but this is currently not implemented in OpenVPN. Also, note that the CA certificate file needs to contain the certificate authority that was used to sign the server-side certificate, not the client-side certificate.

Certificate fingerprint

Instead of supplying cryptoapicert SUBJ:<subject name>, it is also possible to specify cryptoapicert THUMB:<fingerprint>.

The fingerprint or thumbprint of an X509 certificate can be retrieved both by either looking up the Thumb property for the imported certificate in the Windows Certificate store or by typing the OpenSSL command:

C:Program FilesOpenVPNconfig>..inopenssl x509 
    -fingerprint -noout -in client2.crt
SHA1 Fingerprint=91:93:72:7D:0D:D7:33:58:81:DA:DE:2C:17:1E:36:43:58:40:BF:50
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.216.197.92