From: Dave <de...@zi...> - 2008-09-22 12:45:51
|
... > > Does anyone know of a simplier way I could implement a > (scalable) multi-client -> server architecture but have the > server certificates (ca.crt and a ta.key) automatically > transferred to the client (i assume via openvpn itself > perhaps?), or would these 2 files need to be added to a > customized OpenVPN client installer? > > Also, how would I go about generating a client cert and key > on the fly? I assume the servers ca.key is needed for this. > Is it even possible to do any of this stuff via PHP scripts? ... all those certs/keys can be embedded in the config file itself, though I somehow think that's not entirely what you are wanting. If the server were to give out it's the ca/ta certificate on connection, this rather defeats the purpose of having the server certificate, because then the server is saying 'trust me, I'm the server you want' as opposed to 'here's who I say I am, do you trust me?'. Similarly, if it were to give out the client cert and key upon connection, the server is saying 'I trust you, whoever you are, come on in' as opposed to 'tell me who you are and then I will check if I trust you'. Anyhow, maybe this is still what you want to do, and you just want to rely on the username/password as authentication. If so, then you could ignore the value that the certs contribute. You could just make one (generic) client cert, embed all the certs in the config file, and use the auth-user-pass auth-user-pass-verify username-as-common-name options to implement a more common username/password authentication scheme. -Dave |