OpenBSD's default /etc/ssl/openssl.cnf provides a very minimalist approach, especially if you plan to allow users under other Operating Systems to login.
$ cat /etc/ssl/openssl.cnf # Note that you can include other files from the main configuration # file using the .include directive. #.include filename # This definition stops the following lines choking if HOME isn't # defined. HOME = . # Extra OBJECT IDENTIFIER info: #oid_file = $ENV::HOME/.oid oid_section = new_oids # To use this configuration file with the "-extfile" option of the # "openssl x509" utility, name here the section containing the # X.509v3 extensions to use: # extensions = # (Alternatively, use a configuration file that has only # X.509v3 extensions in its main [= default] section.) [ new_oids ] # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. # Add a simple OID like this: # testoid1=1.2.3.4 # Or use config file substitution like this: # testoid2=${testoid1}.5.6 # Policies used by the TSA examples. tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 #################################################################### [ ca ] default_ca = IRCNow # The default ca section #################################################################### [ IRCNow ] dir = /etc/ssl # Where everything is kept certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several certs with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key x509_extensions = usr_cert # The extensions to add to the cert name_opt = IRCNow # Subject Name options cert_opt = IRCNow # Certificate field options default_days = 365 # how long to certify for default_crl_days= 365 # how long before next CRL default_md = default # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_match # For the CA policy [ policy_match ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = optional commonName = supplied emailAddress = optional # For the 'anything' policy # At this point in time, you must list all acceptable 'object' # types. [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied emailAddress = optional #################################################################### [ req ] default_bits = 2048 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extensions to add to the self signed cert string_mask = utf8only req_extensions = v3_req [ req_distinguished_name ] countryName = TW countryName_default = TW countryName_min = 2 countryName_max = 2 stateOrProvinceName = Taiwan stateOrProvinceName_default = Taiwan localityName = Taichung 0.organizationName = IRCNow 0.organizationName_default = IRCNow organizationalUnitName = Operations #organizationalUnitName_default = commonName = vpn.ircnow.org commonName_max = 64 emailAddress = pirata@ircnow.org emailAddress_max = 64 # SET-ex3 = SET extension number 3 [ req_attributes ] challengePassword = A challenge password challengePassword_min = 4 challengePassword_max = 20 unstructuredName = IRCNow [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical, CA:TRUE, pathlen:3 keyUsage = critical, cRLSign, keyCertSign nsCertType = sslCA, emailCA [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment #extendedKeyUsage=serverAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = vpn.ircnow.org DNS.2 = IPv4 DNS.3 = IPv6 [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" [ crl_ext ] authorityKeyIdentifier=keyid:always [ proxy_cert_ext ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" # PKIX recommendations harmless if included in all certificates. subjectKeyIdentifier=hash authorityKeyIdentifier=keyid,issuer
We had to replicate some part of /etc/ssl/openssl.cnf into local openssl.cfg in order to be able to generate proper keys and certificates.
$ cat openssl.cfg [ vpn.ircnow.org ] keyUsage = digitalSignature,keyEncipherment extendedkeyUsge = 1.3.6.1.5.5.8.2.2,serverAuth subjectAltName = DNS:vpn.ircnow.org basicConstraints=CA:False crlDistributionPoints = URI:https://vpn.ircnow.org/ca.crl [ ca ] default_ca = IRCNow [ IRCNow ] database = index.txt default_md = default private_key = ca.key.pem certificate = ca.pem x509_extensions = usr_cert default_days = 365 default_crl_days= 365 [ req ] distinguished_name = req_distinguished_name x509_extensions = v3_ca req_extensions = v3_req string_mask = utf8only [ v3_ca ] subjectKeyIdentifier=hashOrdered List Item authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical, CA:TRUE, pathlen:3 keyUsage = critical, cRLSign, keyCertSign nsCertType = sslCA, emailCA [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment #extendedKeyUsage=serverAuth subjectAltName = @alt_names [ alt_names ] DNS.1 = vpn.ircnow.org DNS.2 = IPv4 DNS.3 = IPv6 [ usr_cert ] basicConstraints=CA:FALSE nsComment = "OpenSSL Generated Certificate" [ req_distinguished_name ] countryName = TW countryName_default = TW countryName_min = 2 countryName_max = 2 stateOrProvinceName = Taiwan stateOrProvinceName_default = Taiwan localityName = Taichung 0.organizationName = IRCNow 0.organizationName_default = IRCNow organizationalUnitName = Operations commonName = vpn.ircnow.org commonName_max = 64 emailAddress = pirata@ircnow.org emailAddress_max = 64
After some trial and error, We managed to discover a magical combination of openssl commands that allowed us to generate all certs and keys:
openssl req -new -x509 -subj "/CN=IRCNow" -extensions v3_ca -days 365 -key ca.key.pem -sha256 -out ca.pem -config openssl.cfg openssl genrsa -out vpnircnow.key.pem 2048 openssl req -subj "/CN=vpnircnow" -extensions v3_req -sha256 -new -key vpnircnow.key.pem -out vpnircnow.csr openssl x509 -req -extensions v3_req -days 365 -sha256 -in vpnircnow.csr -CA ca.pem -CAkey ca.key.pem -CAcreateserial -out vpnircnow.crt -extfile openssl.cfg cat vpnircnow.crt ca.pem vpnircnow.key.pem > vpnircnow-ca-full.pem openssl pkcs12 -export -out vpnircnow.pfx -inkey vpnircnow.key.pem -in vpnircnow.crt -certfile ca.pem openssl ca -config openssl.cfg -gencrl -out ca.crl
And finally, host ca.crl, ca.crt and vpnIRCNoWin.pfx on httpd so our Windows users can:
Last thing:
Add-VpnConnection -Name "IRCNow VPN" -ServerAddress "vpn.ircnow.org" -TunnelType "Ikev2" -RememberCredential