Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 7:44 pm

All times are UTC + 1 hour




Post new topic Reply to topic  [ 1 post ] 
Author Message
PostPosted: Fri Dec 11, 2015 11:31 am 
Offline

Joined: Tue May 28, 2013 1:14 pm
Posts: 26
This HOWTO describes how to import your existing OpenVPN RSA key and certificate into slot 9c of PIV applet.

Some people have been using it before, but I have encountered a few rough edges that might be documented somewhere.

You'll need these packages installed:

  • openvpn
  • opensc
  • yubico-piv-tool or yubikey-piv-manager

Warning: some OpenVPN packages don't work with this, e.g. recent OpenVPN on Fedora 23 breaks. Ubuntu 14.04 works.

Assumption: you have files client.key, client.crt and ca.crt representing your existing key, client certificate and CA certificate respectively, all in PEM format.

First, convert them to pkcs12 (you may encounter this bug when importing from PEM directly), set empty passphrase when asked for PKCS#12 passphrase:

Code:
openssl pkcs12 -export -out cert_key.p12 -inkey client.key -in client.crt -certfile ca.crt -nodes


Now, import the cert_key.p12 in one of following ways (the GUI way is probably simpler):

  • import the newly generated cert_key.p12 either in the GUI PIV Manager
  • or use yubico-piv-tool to do the same (change -k to -P if you didn't set management key):
    Code:
    yubico-piv-tool -s 9c -i cert_key.p12 -K PKCS12 -a import-key -a import-cert -k

Let's see under what name the OpenVPN application sees your certificate. To do this, locate opensc-pkcs11.so library. On most distros you'll find it as openvpn /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so or openvpn --show-pkcs11-ids /usr/lib64/opensc-pkcs11.so (for 64-bit platforms). Run as root with the correct location of opensc-pkcs11.so library:

Code:
# openvpn --show-pkcs11-ids /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
Certificate
       DN:             C=CZ, ...
       Serial:         02
       Serialized id:  piv_II/PKCS\x2315\x20emulated/0575ebacfe300911/PIV_II\x20\x28PIV\x20Card\x20Holder\x20pin\x29/02


In your openvpn.conf, locate "cert" and "key" clausules, we will replace them with:

Code:
pkcs11-id piv_II/PKCS\\x2315\\x20emulated/0575ebacfe300911/PIV_II\\x20\\x28PIV\\x20Card\\x20Holder\\x20pin\\x29/02
pkcs11-providers /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so


We just copied the PKCS#11 Serialized id from previous step - but make sure to escape backslashes by adding another backslash. (The serialized ID is somehow wrong in Fedora 23 and therefore OpenVPN there does not work with PIV applet.)

Now try the openvpn to run again with your Yubikey inserted, it should ask for your PIN:

Code:
openvpn --config openvpn.conf
Fri Dec 11 11:19:06 2015 OpenVPN 2.3.2 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [eurephia] [MH] [IPv6] built on Dec  1 2014
Fri Dec 11 11:19:06 2015 PKCS#11: Adding PKCS#11 provider '/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
Fri Dec 11 11:19:06 2015 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Fri Dec 11 11:19:06 2015 Control Channel Authentication: using 'tls_auth.key' as a OpenVPN static key file
Fri Dec 11 11:19:06 2015 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 11 11:19:06 2015 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication
Fri Dec 11 11:19:06 2015 Socket Buffers: R=[212992->131072] S=[212992->131072]
Fri Dec 11 11:19:06 2015 UDPv4 link local: [undef]
Fri Dec 11 11:19:06 2015 UDPv4 link remote: [AF_INET]1.2.6.5:1194
Fri Dec 11 11:19:06 2015 TLS: Initial packet from [AF_INET]1.2.6.5:1194, sid=b14bf3bf 4f16ba93
Fri Dec 11 11:19:06 2015 VERIFY OK: depth=1, C=CZ, ...
Fri Dec 11 11:19:06 2015 VERIFY OK: depth=0, C=CZ, ...
Enter PIV_II (PIV Card Holder pin) token Password:


The VPN should work as it did before, but now PIV applet on your Yubikey authenthicates you.

Warning: The hex part in serialized id will change when you add new certificates/keys later, you'll have to edit openvpn.conf again!


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 1 post ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group