Is it possible to secure client certificates when exporting a client configuration?
-
As the title asks.
I am setting up a VPN remote access server using OpenVPN and am using client certificate + username and password authentication.
I'm noting that when I export an inline config file for a testing client, it is including the certificates in the inline configuration file. It is also includes the private key of the client certificate in plain text.
This is a major security flaw. There is no issue with distributing client certificates to clients (obviously) but this needs to be done with the private keys being password protected as is done in a pfx / p12 file.
I did check the box that says "Password Protect Certificate" before exporting. However, reading the fine print, it appears that only works for Viscosity clients, and not for the inline configuration for OpenVPN Connect clients.
Is there a way to make the OpenVPN Connect client rely on a Windows machine's certificate store instead of directly distributing certificates? This would give me a more secure way to distribute client certificates.
-
The variety of Inline client apps that will connect to pfSense have no capability to support an encrypted config file.
So ther is no functional way for the pfSense client export to encrypt the file.
You will need to encrypt the Inline client via other means when distributing,
such as zipping the file and password protecting it, or coping the inline config into a word doc and password protecting that.
I guess it depends on what your end users are capable of doing at their end. -
