OpenVPN how disable CSR?
-
I'm going with connection level authentication, so as soon as the ssl connection is established the user is authenticated.
As a result I want to disable csrs(certificate signing requests) from the client. Otherwise any client could just submit a csr and be able to connect.
How do I disable certificate signing requests from the client?
-
Where do you get the idea that someone could submit the CSR to the openvpn server and have it signed by the CA automatically? That would defeat the whole idea of PKI.
-
Actually certificates can be signed by the CA automatically in public key infrastructures. That's why I've never had to wait for someone behind a computer screen to sign my certificate before I log into gmail, paypal or my bank.
I just assumed it was possible for openvpn to have this functionality, possibly enabled by default. Are you saying clients cannot have their certificates automatically signed by the CA by default?
-
There is no CSR involved when logging into an SSL/TLS protected website like gmail, only verification that the server certificate presented by the webserver is signed by a trusted third party CA (like verisign for example). What do you mean with connection level authentication? OpenVPN in PKI mode does the user authentication during the TLS negotiation, the VPN connection won't be made unless the client presents a valid client certificate signed with the private key of the CA. There is certainly no way to automatically have your client certicate signed by the CA using the openvpn server because the CA's private key might not even be (and usually is kept on separate machine for safety reasons) on the same machine where the openvpn server runs.
-
Ok thanks for clearing that up.
Yes, for connection authentication I meant user authentication, the same as what you described.
As for gmail, I guess they don't care who you are, so as long as you sign your own certificate they'll accept the connection.
Thanks.