When a user is connected to my OpenVPN server would I like to extract the ID of the clients certificate.
The purpose is to write a script that will prevent users from sharing their certificates with others. Right now any certificate will work with any valid LDAP user.
When I set script-security 3, which seams to give the most info to the env variable, I see the variables at the bottom of this post (actual values removed). As far as I can tell, nothing in there can be tied to the certificate the user used.
Question
How do I get hold of the client’s certificate/key ID, so I can match it against /etc/openvpn/easy-rsa/2.0/keys/*{.crt,.csr,.key}? The filename is the LDAP username.
E.g.
/etc/openvpn/easy-rsa/2.0/keys/bob.crt
/etc/openvpn/easy-rsa/2.0/keys/bob.csr
/etc/openvpn/easy-rsa/2.0/keys/bob.key
Dump of env variable
X509_1_OU=
common_name=
route_gateway_1=
ifconfig_remote=
untrusted_ip=
ifconfig_local=
proto_1=
tls_serial_1=
tls_serial_0=
tun_mtu=
X509_1_emailAddress=
tls_id_0=
X509_1_L=
tls_id_1=
X509_1_O=
password=
script_type=
verb=
username=
local_port_1=
config=
X509_0_CN=
dev=
auth_control_file=
X509_1_C=
X509_1_ST=
route_network_1=
remote_port_1=
PWD=
route_net_gateway=
daemon=
X509_1_name=
untrusted_port=
SHLVL=
script_context=
route_vpn_gateway=
route_netmask_1=
daemon_start_time=
X509_0_ST=
daemon_pid=
X509_1_CN=
X509_0_OU=
X509_0_emailAddress=
daemon_log_redirect=
X509_0_C=
X509_0_L=
link_mtu=
X509_0_O=
The
crtis signed by thekey. You can’t change thecrtwithout generating a newcsrand signing it with thekeyagain. I’m not an expert authority, so I don’t know which, but there should be some fields that the client can’t change without breaking the certificate’s validation. Looking at the wiki page, It would seem to me you can’t change the Subject attributes (CN, etc).So if you’re validating user
bob, withbob.crt, then make sure in the certificate theCNis bob. Matching all three of these should mean that bob is logging in with his own certificate.