Friday, June 27, 2014

OpenVPN Server with ACS SmartCard

This is note on how to configure OpenVPN server with smartcard (PKCS11), with window client.

1. Install OpenVPN server, please refer HERE

2. Generate cert for client :
# ./build-key-pkcs12 client2
Generating a 1024 bit RSA private key
........................++++++
....................................++++++
writing new private key to 'client2.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [MY]:
State or Province Name (full name) [KL]:
Locality Name (eg, city) [Petaling Jaya]:
Organization Name (eg, company) [Test]:
Organizational Unit Name (eg, section) [server]:
Common Name (eg, your name or your server's hostname) [client2]:
Name [server]:
Email Address [me@test.com]:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/openvpn/easy-rsa/openssl-1.0.0.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'MY'
stateOrProvinceName   :PRINTABLE:'KL'
localityName          :PRINTABLE:'Petaling Jaya'
organizationName      :PRINTABLE:'Test'
organizationalUnitName:PRINTABLE:'server'
commonName            :PRINTABLE:'client2'
name                  :PRINTABLE:'server'
emailAddress          :IA5STRING:'me@test.com'
Certificate is to be certified until Jun 21 13:06:42 2024 GMT (3650 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Enter Export Password:
Verifying - Enter Export Password:

copy all client2* file to window that installed ACS Cert Management Utility.

3. Import the client cert
3.1 plug the smartcard reader and login
3.2 Action  > Certificate Manager
3.3 Click import , select file that you copy just now. e.g client2.p12
3.4 When prompt to enter export password, enter the password enter during generate the cert, DO NOT LEAVE BLANK.


4. Install and Configure OpenVPN client.(without install gui)
4.1 download http://ovpnppc.ziggurat29.com/files/openvpn-gui-1.0.3-pkcs11.src.zip gui, this version will prompt  the pkcs11 pin where the official site verion won't.

4.2 Locate the middleware by the smartcard provider, my case is :
"C:\Program Files\Advanced Card Systems Ltd\ACOS5-CryptoMate Admin Client Kit\Mid dleware\x86\PKCS\>acospkcs11.dll"

4.2 Find the Serialized id.
openvpn --show-pkcs11-ids C:\Program Files\Advanced Card Systems Ltd\ACOS5-CryptoMate Admin Client Kit\Mid
dleware\x86\PKCS\acospkcs11.dll

The following objects are available for use.
Each object shown below may be used as parameter to
--pkcs11-id option please remember to use single quote mark.

Certificate
       DN:             C=MY, ST=KL, L=Petaling Jaya, O=Test, OU=server, CN=xp3,
name=server, emailAddress=me@test.com
       Serial:         04
       Serialized id:  Advanced\x20Card\x20Systems\x20Ltd\x2E/CTM64/603868942
/ACS\x20Card\x20OS\x205/F8892A3678F75A7E586BFBEF805F3CA80DD2



4.3  Add PKCS provider to openvpn config file

pkcs11-providers C:\Program Files\Advanced Card Systems Ltd\ACOS5-CryptoMate Admin Client Kit\Mid
dleware\x86\PKCS\acospkcs11.dll
pkcs11-id     'Advanced\x20Card\x20Systems\x20Ltd\x2E/CTM64/603868942
/ACS\x20Card\x20OS\x205/F8892A3678F75A7E586BFBEF805F3CA80DD2'


5. Run openvpn-gui and connect.