[vpn-help] Cert q's

Thu Aug 31 23:49:35 CDT 2006

Peter Eisch wrote:
> 
> On to certificates.  I mentioned last week that I'd like to use p12 cert
> bundles which include the ca.crt the client's cert and key.  Is there a way
> to just load a p12 and have the client unbundle the three components when
> {,xauth-}rsasig is selected?  Specifically, in the tab for certs there would
> just be one input box to select the path of the p12 and perhaps a radio
> button to select p12 or discreet files.  Whenever the p12 path changes,
> there would need to be a password panel that pops up to prompt for the
> password.  I'd guess that the client could save "import" the cert parts into
> the certs directory out of the p12 and not store the p12 per se.
> 

I follow you all the way up until the p12 password panel. Do you mean a 
password to read an encrypted p12 file? You will have to forgive me. I 
built the p12 cert handlers quite some time ago after Yvan from the 
ipsec-tools team suggested it would be a good thing to have support for.

It should be possible to specify the same p12 file for all three 
credential file paths. I chose this compromise as I wanted to keep the 
interface simple and not be too p12 specific.

> Another way to look at using certs is to use the keystore that comes with
> XP.  It could do all the p12 management and the client could just reference
> the certs as they're  stored there.
> 

At some point, the client will be ported to other architectures. The 
effort will begin with BSD and then move on to MacOSX and Linux. I tend 
to shy away from using any built in OS facilities to keep the code base 
as platform agnostic as possible. When thats not feasible, I put 
together an abstraction library. For example, libvnet wraps my kernel 
driver interface on windows but will wrap tun/tap interfaces on *nix. To 
ipsecd, its just another virtual ethernet interface it accesses via libvnet.

> The cisco concentrators basically chew up the p12's quite nicely and stuff
> them in the config -- I guess I'm thinking that maybe the certs loaded from
> the p12 could even be stored in the vpn profile config.  That could be quite
> handy but if the admin of such certs had a requirement that they can never
> be exported there would be a snafu.
> 
> Perhaps you've thought on this?
> 

I had thought about storing the cert information in the site 
configuration file when exported. Then on import, the client would dump 
the cert info back out into discrete files. This would be a better for 
pre-configured client installations so the cert doesn't have to be 
bundled like you do at present.

http://www.shrew.net/vpn/help-1.1/preconfiguredinstalls.htm

For non MS platforms, the config file will be *the* data storage format 
for site configuration.

If an admin plans on distributing certs for vpn authentication, I don't 
see why they would raise an objection to how the cert is packaged unless 
its a question of the container format offering another level of 
encryption. After all, for hybrid auth its just some asn1 string and 
public key data that can only be used to authenticate a message 
encrypted with the servers private key. For mutual authentication, 
things get a bit more complicated because of the private key 
distribution. In either case, the distributed key is only as safe as the 
distributed password used to decrypt the key when the client is in use.

Maybe that can be sent via an ipsec tunnel ;)

-Matthew