Solved: Manual repair PKI on OpenVPN RFC3280 issue

Virtual Private Networks OpenVPN
1

Hi there,

I solved the issue above as follows.

Manual:

  1. Create a backup and open it e.g. with 7-Zip
  2. Extract:
    • /var/ipfire/ovpn/ca/cacert.pem
    • /var/ipfire/ovpn/ca/cakey.pem
    • /var/ipfire/ovpn/certs/servercert.pem
    • /var/ipfire/ovpn/certs/serverkey.pem
  3. Import Certs and Key into a new DB of https://hohnstaedt.de/xca/
    • Right-Click Server-Cert and choose “Umwandeln -> Ähnliches Zertifikat” (Transform -> Similar Cert)
    • Add “Schlüsselverwendung” (Key Usage) [Digital Signature, Key Encipherment, TLS Web Server Authentication]
  4. Export Server-Cert as PEM
  5. Replace the insufficient Cert inside IPFire “/var/ipfire/ovpn/certs/servercert.pem”

I downloaded it with curl from my own Web-Space, but SSH, SCP will do also. Please check file ownership and rights.

Hint:
You can do “openssl verify -CAfile …/ca/cacert.pem servercart.pem” in Directory “/var/ipfire/ovpn/certs”.

Question:
@ummeegge
Is it possiple to “Patch” the backup-file or do you do some signature-checks?

Greetings Martin

PS:
Because you do not change the Keys or CA you can update Expiry Dates too. But I recomment to do it wisely.
Exchange an expired Server-Cert including Key should be fine because the trust depends on the CA (notary).

SimilarCertAddKeyUsage
SimilarCertAddKeyUsage726×800 69.6 KB

2

Hi,

I do not really get what you are trying to do here…?!

3

Hi,
I faced a situation similare to this one: https://forum.ipfire.org/viewtopic.php?t=21330

But renew the PKI leads to update every client. In my case this translates to: I have to collect all client-notebooks and do this update myself, because the users of these notebooks are not able to do it themselfs without create even more expenditure.

So I thought if I want to repair the server-certificate I do not have to exchange the notary aka CA and therefore all client-certificates remain valid. No notebook has to be touched.

And because I had found a working solution, I wanted to share it with others to save them the trouble of replacing the entire PKI.

The final step is to replace the broken server certificate with the repaired one. Of course you can do this using ssh, but because I extracted the PEMs from my IPFire backup file, it might be possible to replace the server certificate within this backup file e.g. with 7-Zip and restore this backup. In my opinion, this should work until you perform an integrity check that rejects manipulated backup files during recovery.

Perhaps you already perform integrity checks, or you plan to check the integrity of backups in the future. I don’t know if it works, because I didn’t try it so as not to jeopardize my instance. In this case, my idea how to get the repaired cert back into IPfire would not be the best one, although it is very convenient to use nothing else but the web-GUI. especially for Linux inexperienced users…

That is why I asked you if it is possible to “patch” a backup-file. :wink: