Rolling out a OpenVPN PKI on a Active Directory (as in October Hangout)



  • Assume I have an Active Directory with about 50 Users. Each User has at least 4 Devices as there is 2 Windows PCs (Homeoffice, Roadwarrior Laptop) + 2 mobile either iOS or Android Phone + Tablet. According to October hangout best partice (OpenVPN with independend PKI and Radius Authentication) I would have to Setup a PKI with 50 x 4 (200) Certificates and export each of them manually using the Export-Wizzard. After that I would have to distribute 50 Memorysticks one to each user, to make them able to install the cetificates on their very devices. Actually I can’t evene believe anyone ever did that with a smaller (none the less a bigger) AD.

    So here’s my question:

    what is the best practice for establishing and afterwards rolling out a new PKI for an AD-Domain assumed you have more than one user where it might be practical to do the stuff manually without any script or server support. (Yes, we have LDAP in place, but htere seems to be no script to import all LDAP Users into a pki and ff.)