Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to setup OpenVPN to use a third party CA, and its unclear to me how to use the serial and index.txt files that are created when one uses the easy-rsa scripts to setup OpenVPN. If i'm using my own CA can I ignore those? Its also unclear to me how OpenVPN figures out the server.key passphrase.
I'd also like to leverage the --tls-verify cmd directive but I am unsure of where to specify it.
What I would like to do is have --tls-verify call a perl script that then verifies that the CN of the certificate the client is passing in matches a cn in an LDAP group. I figure I can do the LDAP group lookup with some easy perl stuff, its unclear to me though if --tls-verify is going to pass in the RDN of the client cert.
You don't need to use the index and serial files for anything. They're only for easy-rsa. If you're using an external CA, just get your server's certificate signed by that CA. Unless you mean you want to use easy-rsa to do the signing, supplying an external certificate. If that's the case, I don't think easy-rsa is really meant for that. I'd do it by hand using openssl (all the commands you need are in the easy-rsa scripts).
You can use 'askpass [filename]' to provide a password for your server's private key. Obviously making sure that 'filename' has suitable permissions. (600 and owned by root)
As for tls-verify, I'm not sure (never used it). From looking at the example 'verify-cn' script it looks like you get the whole lot. The example script then checks the CN with a regex. I guess you could do similar to get whatever you want for the ldap check. I'd just write the script and have it dump some debug output somewhere to check.
That helps a bunch! I wasn't sure what those files were used[index serial] for and my googling didn't help. I ended up using easyrsa to generate files, and then just copied the CA(my external CA) roots over the top, and then resigned the server cert. I'll dump out the rest of the files. On the plus side i figured easy-rsa would handle setting up the password on the server's key.
You just described about what I was going to try with the tls-verify. I figured it would be easier to ask first though. I'm going to assume that somehow tls-verify is passing along the CN somehow.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.