[[[ Certificates ]]] [[ VPN Two-Factor Authentication (2FA) ]] # example for 2FA http://ocserv.gitlab.io/www/recipes-ocserv-2fa.html [[ OpenSSL ]] # openssl ca (command that uses a text database to create CRLs and certificates with serials) @ https://www.openssl.org/docs/manmaster/man1/ca.html # opensll x509 @ https://www.openssl.org/docs/manmaster/man1/x509.html [[ Android ]] # Android 7.x changes cert installation behavior changes @ https://stackoverflow.com/questions/39215229/how-to-get-charles-proxy-work-with-android-7-nougat "What complicates matters is that the Settings -> Security -> Install from storage does not provide an explicit way for the user to specify whether they are installing a client authentication credential (private key + cert chain) or a server authentication trust anchor (just a CA cert -- no private key needed). As a result, the Settings -> Security -> Install from storage flow guesses whether it''s dealing with client/user authentication credential or server authentication trust anchor by assuming that, if a private key is specified, it must be a client/user authentication credential." [[ StrongSwan Maintenance Cert ]] [[ StrongSwan CA Intermediates ]] [[ Certificate Attributes ]] @ https://superuser.com/questions/738612/openssl-ca-keyusage-extension#738644 # example of configuration options @ https://github.com/JW0914/Wikis/blob/master/Scripts%2BConfigs/OpenSSL/openssl.cnf pathLenConstraintof == 0 "I.e. a pathLenConstraintof 0 does still allow the CA to issue certificates, but these certificates must be end-entity-certificates (the CA flag in BasicConstraints is false - these are the "normal" certificates that are issued to people or organizations)" pathLenConstraintof > 0 "If the pathLenConstraintof a given CA certificate is > 0, then it expresses the number of possible intermediate CA certificates in a path built from an end-entity certificate up to the CA certificate. Let''s say CA X has a pathLenConstraint of 2, the end-entity certificate is issued to EE. Then the following scenarios are valid (I denoting an intermediate CA certificate)" VALID X - EE X - I1 - EE X - I1 - I2 - EE INVALID X - I1 - I2 - I3 - EE [[ VPN Clients ]] [ misc notes ] TUN/TAP "Mac OS X users with OS X 10.6 or older, or using OpenConnect 6.00 or older, will also need to install the Mac OS X tun/tap driver. Newer versions of OpenConnect will use the utun device on OS X which does not require additional kernel modules to be installed." [ openconnect ] # Support --key-password for GnuTLS PKCS#11 PIN. # site @ http://www.infradead.org/openconnect/ # comments that this works @ https://gist.github.com/moklett/3170636 # compiling @ http://www.infradead.org/openconnect/building.html [ tunnelbrick ] @ https://github.com/Tunnelblick/Tunnelblick @ https://www.tunnelblick.net/cInstall.html [[ IKEv2 vs OpenVPN ]] @ https://security.stackexchange.com/questions/105967/ikev2-vs-openvpn @ https://security.stackexchange.com/questions/63330/are-there-any-reasons-for-using-ssl-over-ipsec [[ CA Intermediate ]] [ Links ] # nice tutorial site @ https://roll.urown.net/ca/ca_intermed_setup.html # @ https://jamielinux.com/docs/openssl-certificate-authority/create-the-intermediate-pair.html # @ https://smartnets.wordpress.com/2017/04/27/create-certificate-chain-and-sign-certificates-using-openssl/ # simple, direct, examples @ https://wiki.cementhorizon.com/display/CH/Example+CA%2C+Intermediate%2C+and+Server+Certificate # Wiki @ https://en.wikipedia.org/wiki/Certificate_signing_request [ Example Code ] # Generate CSR & CA_I keys $ openssl req -new -newkey rsa:2048 -nodes -out ca_i.csr -keyout ca_i_key_222.key -subj "/C=US/ST=Railroad/L=Train/O=ACME INC./OU=ACME Flyaway/CN=www.acme.xyz" # Create CA openssl genrsa -out ca.key 4096 openssl req -new -x509 -nodes -sha1 -days 1825 -key ca.key -out ca.crt # Create Intermediate openssl genrsa -out intermediate.key 4096 openssl req -new -sha1 -key intermediate.key -out intermediate.csr # CA signs Intermediate openssl x509 -req -days 1825 -in intermediate.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out intermediate.crt # Create Server openssl genrsa -out test.example.com.key 4096 openssl req -new -key test.example.com.key -out test.example.com.csr # Intermediate signs Server openssl x509 -req -days 1825 -in test.example.com.csr -CA intermediate.crt -CAkey intermediate.key -set_serial 01 -out test.example.com.crt [ Certificate Signing Request ] # "US", "RailRoad", "City", "ACME", "ACME FLyaway", "flyaway.acme.xyz", "admin@acme.xyz"