This HOWTO describes how to import your existing OpenVPN RSA key and certificate into slot 9c of PIV applet.
Some people have been using it before, but I have encountered a few rough edges that might be documented somewhere.
You'll need these packages installed:
- openvpn
- opensc
- yubico-piv-tool or yubikey-piv-manager
Warning: some OpenVPN packages don't work with this, e.g. recent OpenVPN on Fedora 23 breaks. Ubuntu 14.04 works.
Assumption: you have files client.key, client.crt and ca.crt representing your existing key, client certificate and CA certificate respectively, all in PEM format.
First, convert them to pkcs12 (you may encounter this
bug when importing from PEM directly), set empty passphrase when asked for PKCS#12 passphrase:
Code:
openssl pkcs12 -export -out cert_key.p12 -inkey client.key -in client.crt -certfile ca.crt -nodes
Now, import the cert_key.p12 in one of following ways (the GUI way is probably simpler):
Let's see under what name the OpenVPN application sees your certificate. To do this, locate opensc-pkcs11.so library. On most distros you'll find it as openvpn /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so or openvpn --show-pkcs11-ids /usr/lib64/opensc-pkcs11.so (for 64-bit platforms). Run as root with the correct location of opensc-pkcs11.so library:
Code:
# openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Certificate
DN: C=CZ, ...
Serial: 02
Serialized id: piv_II/PKCS\x2315\x20emulated/0575ebacfe300911/PIV_II\x20\x28PIV\x20Card\x20Holder\x20pin\x29/02
In your openvpn.conf, locate "cert" and "key" clausules, we will replace them with:
Code:
pkcs11-id piv_II/PKCS\\x2315\\x20emulated/0575ebacfe300911/PIV_II\\x20\\x28PIV\\x20Card\\x20Holder\\x20pin\\x29/02
pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
We just copied the PKCS#11 Serialized id from previous step - but
make sure to escape backslashes by adding another backslash. (The serialized ID is somehow wrong in Fedora 23 and therefore OpenVPN there does not work with PIV applet.)
Now try the openvpn to run again with your Yubikey inserted, it should ask for your PIN:
Code:
openvpn --config openvpn.conf
Fri Dec 11 11:19:06 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec 1 2014
Fri Dec 11 11:19:06 2015 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
Fri Dec 11 11:19:06 2015 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 11 11:19:06 2015 Control Channel Authentication: using 'tls_auth.key' as a OpenVPN static key file
Fri Dec 11 11:19:06 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 11 11:19:06 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 11 11:19:06 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Fri Dec 11 11:19:06 2015 UDPv4 link local: [undef]
Fri Dec 11 11:19:06 2015 UDPv4 link remote: [AF_INET]1.2.6.5:1194
Fri Dec 11 11:19:06 2015 TLS: Initial packet from [AF_INET]1.2.6.5:1194, sid=b14bf3bf 4f16ba93
Fri Dec 11 11:19:06 2015 VERIFY OK: depth=1, C=CZ, ...
Fri Dec 11 11:19:06 2015 VERIFY OK: depth=0, C=CZ, ...
Enter PIV_II (PIV Card Holder pin) token Password:
The VPN should work as it did before, but now PIV applet on your Yubikey authenthicates you.
Warning: The hex part in serialized id will change when you add new certificates/keys later, you'll have to edit openvpn.conf again!
Login
FAQ
Search
