OpenVPN with a Windows Certificate Services PKI
Yep, it's perfectly possible. x509 is x509.
OpenVPN 2.1 (beta, but perfectly stable) supports CryptoAPI. We use it one a daily basis.
To use your existing PKI just give the OpenVPN server a copy of the CA. You can specify which clients can login in, if you don't want everyone on the CA to have access, by using CCD. Then place the following in your client configs:
cryptoapicert "THUMB:<cert_thumb>"
You can copy/paste the <cert_thumb>
from the certificate details in the Windows personal cert store.
Auto Enroll is a pain and it's been a while since I struggled with it. But it does work, eventually.
Related videos on Youtube
Johannes Rudolph
Founder & CTO at meshcloud, helping organizations build better cloud foundations to power digital transformation.
Updated on September 17, 2022Comments
-
Johannes Rudolph over 1 year
has anyone tried using OpenVPN with certificates generated by Windows Certificate Services? In theory this should work.
The provided easy-rsa PKI is not very comfortable to manage for many users. I do already have a ActiveDirectory set up and I'd ideally want to have AD integration for the certificates. I have followed this guide to set auto enrollment for a user group. However i cant even make sure if the corresponding user has been succesfully assigned a certificate. It seems overly complex to me.
-
Dan Carley almost 15 yearsPS: Apparently you can use SUBJ instead of THUMB. I haven't confirmed myself, but that would be easier.