External CA
-
Im trying to add a user cert from an external CA to a user. But its not working, that is the requirements on the certificate to add it to a user?
/Fredrik
-
Which part doesn't work?
Does it give an error, or does the CA just not show up in the list?
-
I have no internal CA so then Im trying to add a certificate to a user I get this message. "No internal Certificate Authorities have been defined. You must createย an internal CA before creating an internal certificate."
/Fredrik
-
Hmm, I thought you could still make a user key in that case, but I'll need to run some tests to see what the problem might be there.
-
Yeah the user key needs to be 'signed' by the CA, which requires its private key.
What you really need is to make a CSR, which is then signed by the CA, and then import the resulting key into the user.
Looks like we don't have a way in the GUI to make a CSR for a user cert though.
-
I already have a certificate for the user that I would like to use. But if the only way is to make a CSR I can.
/Fredrik
-
Why do you need to import the user cert into the GUI?
I have a ticket open to add that, but it really doesn't gain you much of anything (besides the ability to use the client exporter)
-
I want to run an OpenVPN server on my firewall with my external certificate and use the client exporter. I think there is some other problems to run a OpenVPN server with an external CA.
/Fredrik
-
The only thing holding you back from that scenario is that you can't use the exporter.
What "other problems" are you referring to with an external CA?
-
Would like to use the client exportet, but here is no big problem to not use it.
One more thing regarding external user cert. I can and have imported the user cert in cert manager. So I want to bind that cert to a user.
I have done some more digging in the other problem, its the wizard thats not working. I select in the wizard that i want to use an existing external CA. But the wizard still creates a new internal CA for my openvpn server.
/Fredrik
-
One more thing regarding external user cert. I can and have imported the user cert in cert manager. So I want to bind that cert to a user.
You can't do that from there. (yet?) That isn't used for user certificates right now, though eventually I'd like to unify that so it can be managed from the same place in addition to doing it from the user manager.
I have done some more digging in the other problem, its the wizard thats not working. I select in the wizard that i want to use an existing external CA. But the wizard still creates a new internal CA for my openvpn server.
I'll have to look into that. It's been a while since I worked on the wizard, I thought that was working last time I tested it.
-
Selecting an existing CA (internal or external) should be OK now in the wizard. It won't be in the next snapshot, but it will be in the one after that.
