Reputation: 25986
How to extract client certificate info from OpenVPN?
When a user is connected to my OpenVPN server would I like to extract the ID of the clients certificate.
The purpose is to write a script that will prevent users from sharing their certificates with others. Right now any certificate will work with any valid LDAP user.
When I set script-security 3, which seams to give the most info to the env variable, I see the variables at the bottom of this post (actual values removed). As far as I can tell, nothing in there can be tied to the certificate the user used.
Question
How do I get hold of the client's certificate/key ID, so I can match it against /etc/openvpn/easy-rsa/2.0/keys/*{.crt,.csr,.key}? The filename is the LDAP username.
E.g.
/etc/openvpn/easy-rsa/2.0/keys/bob.crt
/etc/openvpn/easy-rsa/2.0/keys/bob.csr
/etc/openvpn/easy-rsa/2.0/keys/bob.key
Dump of env variable
X509_1_OU=
common_name=
route_gateway_1=
ifconfig_remote=
untrusted_ip=
ifconfig_local=
proto_1=
tls_serial_1=
tls_serial_0=
tun_mtu=
X509_1_emailAddress=
tls_id_0=
X509_1_L=
tls_id_1=
X509_1_O=
password=
script_type=
verb=
username=
local_port_1=
config=
X509_0_CN=
dev=
auth_control_file=
X509_1_C=
X509_1_ST=
route_network_1=
remote_port_1=
PWD=
route_net_gateway=
daemon=
X509_1_name=
untrusted_port=
SHLVL=
script_context=
route_vpn_gateway=
route_netmask_1=
daemon_start_time=
X509_0_ST=
daemon_pid=
X509_1_CN=
X509_0_OU=
X509_0_emailAddress=
daemon_log_redirect=
X509_0_C=
X509_0_L=
link_mtu=
X509_0_O=
Upvotes: 3
Views: 3695
Answers (1)
Reputation: 5420
The crt is signed by the key. You can't change the crt without generating a new csr and signing it with the key again. I'm not an expert authority, so I don't know which, but there should be some fields that the client can't change without breaking the certificate's validation. Looking at the wiki page, It would seem to me you can't change the Subject attributes (CN, etc).
So if you're validating user bob, with bob.crt, then make sure in the certificate the CN is bob. Matching all three of these should mean that bob is logging in with his own certificate.
Upvotes: 1
Related Questions
- OpenVPN Connection Using Python (Windows)
- Find a json/dict of the client certificate from a HTTPS request
- how to parse certificate information in Python
- Automatize the cert creation OpenVPN
- OpenVPN user certificates
- Extract certifcates from output of "openssl s_client"
- Extract Public Key using pyOpenSSL from certificate or other connection information
- Create openVPN Certificate with python
- Get subject key identifier from certificate
- Find client certificate information from server in OpenSSL