I successfully managed to use my own CA for certificates used by OpenVPN clients connecting to IPFire. (To be exact: Those clients connect to different IPFire instances while I don’t want to maintain multiple certificates per client - so a separate CA comes in handy). So this basically works and seems to be supported by IPFire.
However:
I need to upload the certificate for the client to be able to connect. That should not be necessary, as the purpose of PKI is to authenticate up to now “unknown” communication partners. (Which works - see below)
If the uploaded certificate is due for prolongation or expired, it is marked yellow/orange in the list of OpenVPN clients while the OpenVPN connection by the respective client works pretty well (as long as the client has a valid certificate of course)
To get rid of that warning, I have to replace the certificates file on the filesystem (i.e. via ssh) because I did not find a Web GUI way to update a certificate of an already configured client.
If I remove (i.e. move away for testing) the clients certficate from /var/ipfire/ovpn/certs/ completely, it is shown as “expired” in the OpenVPN client list, but everything seems to work fine.
I am missing something? Or are there some options missing in the WebGUI to get rid of the disturbances listed above?
All the code for doing graphs, status of connection, etc… is done on the basis of the client connections that are shown in the WUI.
However, if you have created client certificates using the root/host certificate set that you have uploaded into the IPFire server, then all you need to do is to create a client connection in the WUI but instead of creating the client certificate you just upload the client certificate.
The Create Certificate option is enabled by default as most users will do that but you can choose to Upload a certificate request or Upload a certificate.
If you are editing or changing the certificates directly in the filesystem then you will likely end up with mismatches between different IPFire files, which in the worst case will stop IPFirte working and likely in the best case cause the sort of issues you have found as you would need to not only change the certificates but also all the other stored info on your system for that client connection.
The simplest is to just upload the client certificate you have created.
I assume, I understand what you are writing, but I do not get the relevance for my research. My best guess is I did wrong in writing “I need to upload a certificate” while I meant “the WUI forces me to upload a certificate”. (Actually, I believe the OpenVPN server does not need it as the client will deliver its certificate when connecting and the server will trust it by the signature of the CA.)
Yes, that is what I did - but that’s not my point.
True. Therefore I am searching (or begging for) a proper WUI way of doing so.
Please understand: This issue I found is: When the certificate I originally uploaded is expired, the WUI shows a warning in the OpenVPNs client list while …
… as long as the client itself delivers a valid (i.e. renewed) certificate, everything is working fine. (Despite the warning)
.. I did not find a way to upload a renewed certificate to an alread configured client. (As far as I can see, your screenshots and linked documentation are for new clients)
So this is just a “cosmetic” issue and it happens before fiddeling with the file on the filesystem. (The “fiddeling” is a working workaround).
So: I don’t have a functional problem. Due to the cosmetic issue, I wonder what is your idea of using an external CA?
Or to phrase it differently: How do I get rid of (resp. avoid) that warning without fiddeling with the certificate file directly?
/usr/local
P.S.: I just realized that the original title might have been misleading, so I replaced “own CA” by “external CA”
P.P.S: Unfortunately I cannot provide a screenshot of the warning, as for the time being I fixed it “the dirty way”
You can’t upload a renewed certificate for an already configured client as that client already exists in the system.
The only option I can think of is to delete the existing client in the WUI screen and then upload the certificate file as a fresh client but with the same names etc.
I have not used the option to upload a certificate as all my uses have been with the certificates created internally in IPFire.
I will try and find some time to test out the use of externally created x509 root/host and client certificates but that might be some time before I can do that and test out how things go when the client certificate expires.
