Yubico Forum
https://forum.yubico.com/

[HOW TO] OpenVPN with PIV PKCS#11 on Linux
https://forum.yubico.com/viewtopic.php?f=26&t=2124
Page 1 of 1

Author:  hiviah [ Fri Dec 11, 2015 11:31 am ]
Post subject:  [HOW TO] OpenVPN with PIV PKCS#11 on Linux

This HOWTO describes how to import your existing OpenVPN RSA key and certificate into slot 9c of PIV applet.

Some people have been using it before, but I have encountered a few rough edges that might be documented somewhere.

You'll need these packages installed:

  • openvpn
  • opensc
  • yubico-piv-tool or yubikey-piv-manager

Warning: some OpenVPN packages don't work with this, e.g. recent OpenVPN on Fedora 23 breaks. Ubuntu 14.04 works.

Assumption: you have files client.key, client.crt and ca.crt representing your existing key, client certificate and CA certificate respectively, all in PEM format.

First, convert them to pkcs12 (you may encounter this bug when importing from PEM directly), set empty passphrase when asked for PKCS#12 passphrase:

Code:
openssl pkcs12 -export -out cert_key.p12 -inkey client.key -in client.crt -certfile ca.crt -nodes


Now, import the cert_key.p12 in one of following ways (the GUI way is probably simpler):

  • import the newly generated cert_key.p12 either in the GUI PIV Manager
  • or use yubico-piv-tool to do the same (change -k to -P if you didn't set management key):
    Code:
    yubico-piv-tool -s 9c -i cert_key.p12 -K PKCS12 -a import-key -a import-cert -k

Let's see under what name the OpenVPN application sees your certificate. To do this, locate opensc-pkcs11.so library. On most distros you'll find it as openvpn /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so or openvpn --show-pkcs11-ids /usr/lib64/opensc-pkcs11.so (for 64-bit platforms). Run as root with the correct location of opensc-pkcs11.so library:

Code:
# openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Certificate
       DN:             C=CZ, ...
       Serial:         02
       Serialized id:  piv_II/PKCS\x2315\x20emulated/0575ebacfe300911/PIV_II\x20\x28PIV\x20Card\x20Holder\x20pin\x29/02


In your openvpn.conf, locate "cert" and "key" clausules, we will replace them with:

Code:
pkcs11-id piv_II/PKCS\\x2315\\x20emulated/0575ebacfe300911/PIV_II\\x20\\x28PIV\\x20Card\\x20Holder\\x20pin\\x29/02
pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so


We just copied the PKCS#11 Serialized id from previous step - but make sure to escape backslashes by adding another backslash. (The serialized ID is somehow wrong in Fedora 23 and therefore OpenVPN there does not work with PIV applet.)

Now try the openvpn to run again with your Yubikey inserted, it should ask for your PIN:

Code:
openvpn --config openvpn.conf
Fri Dec 11 11:19:06 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Fri Dec 11 11:19:06 2015 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
Fri Dec 11 11:19:06 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 11 11:19:06 2015 Control Channel Authentication: using 'tls_auth.key' as a OpenVPN static key file
Fri Dec 11 11:19:06 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 11 11:19:06 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 11 11:19:06 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Fri Dec 11 11:19:06 2015 UDPv4 link local: [undef]
Fri Dec 11 11:19:06 2015 UDPv4 link remote: [AF_INET]1.2.6.5:1194
Fri Dec 11 11:19:06 2015 TLS: Initial packet from [AF_INET]1.2.6.5:1194, sid=b14bf3bf 4f16ba93
Fri Dec 11 11:19:06 2015 VERIFY OK: depth=1, C=CZ, ...
Fri Dec 11 11:19:06 2015 VERIFY OK: depth=0, C=CZ, ...
Enter PIV_II (PIV Card Holder pin) token Password:


The VPN should work as it did before, but now PIV applet on your Yubikey authenthicates you.

Warning: The hex part in serialized id will change when you add new certificates/keys later, you'll have to edit openvpn.conf again!

Page 1 of 1 All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/