Central Certificate for VPN clients?



  • Hi All,

    I'm not sure if this has been mentioned or asked before, but I can't seem to find anything.  Please feel free to correct me if I'm wrong.

    Our OpenVPN setup started off simply with a single office where each user has a certificate and we authenticate off the central active directory.  We've grown over the last 3 years and now have 2 additional branch offices, each are in different countries.

    We're going to be rolling out domain controllers to each of the locations and have each one of the firewalls configured to use the local controllers to authenticate the road warriors, but until then we need to get up and running pretty quick.

    I'm trying to get my head around the certificate options.

    1. If we share the CA across each of the sites which has been generated by our primary firewall, then should each of the users certificates should work across each site?

    2. Would I need to need create "local" certificates on each firewall?  If this is all the case, and I revoke a certificate, would I need to copy the CRL across to each site manually?

    3. Should I just create new CAs for each site?  Every person has a package for each site should they need it?

    I would be locking out the user accounts anyway (when they leave) so they would be unable to authenticate, but could I use the CA services on the AD and have each firewall reference that?

    Sorry if I'm rambling here, just trying to get my head around the options.

    Any pointers/best practices would be great.


  • Rebel Alliance Global Moderator

    Your central CA could be your AD, one of your pfsense firewalls, some public or any other CA you want to use.

    Central CA for all certs you sign is a good idea, be it user certs for openvpn, AD, internal websites, etc. more than likely this should end up being the one you use for AD.. most likely the MS built in one.

    The only certs you really need from public, are ones that will be used by public with machines that you do not control and can not trust your own internal CA.  If you have a website that is accessed via public, then you need to use a public CA that users browsers auto trust.  If the site or vpn is only access by your machines, or users that you can give the CA cert to trust.  Then internal works great, centralizing that makes for easier management and control.

    While using the CAs on pfsense does make it easy, the interface is pretty clean.  But if your going to manage lots and lots of certs it might get a bit hectic.. If it was me, I would most likely leverage the AD CA, since you pretty much use that for all your machine certs as they join your domain anyway.  Might as well just leverage it for all your internal use certs.