Using Windows2000 CA for OpenBSD based VPN


This documents describes a step-by-step instructions of how to implement PKI (Public Key Infrastructure) for OpenBSD-based VPN. There are many possible ways to achvieve this, but we have chosen to use the CA server that comes with Windows2000 and SCEP add-on from Microsoft. With this setup, it possible to enroll certificates for many different VPN devices/clients, including Cisco routers, SSH VPN products, IRE clients (Soft-PK), etc. SCEP functionality for OpenBSD is added using SSCEP, Simple SCEP client for Unix.

In the next few sections, we install the CA services and enroll certificates for OpenBSD gateway. Installation of Windows2000 server is not in scope of this document.

1. Install CA services

CA service come with default Windows2000 server, you just have to enable it. Install CA services from Control Panel -> Add/Remove Programs -> Add/Remove Windows Components. In this example, we choose to install stand-alone root CA. Click "Advanced options", it you wish to change the default configuration of key length, etc.

CA server installation, picture 1

Fill in the Distinguished Name (DN) of your CA and finish the installation.

CA server installation, picture 2

Next, download the SCEP package from Microsoft updates. It might be tricky to find at first time, look for "Windows Update Catalog" and "Find Microsoft Windows updates". From there, search with keyword "scep". If you really cannot find it, you can try this local package. I strongly recommend to use the Microsoft updates if you want to keep up the latest version of the software.

Run cepsetup.exe and skip the dialog by pressing "Next". The next dialog is about automatic enrollment. For this example setup, we choose to not require challenge password. Uncheck "Require SCEP..." and press "Next".

CA server installation, picture 3

Next, we make our RA certificate pair. Fill in the DN parameters.

CA server installation, picture 4

You can adjust the private key sizes and other parameters from "Advanced Enrollment Options". Click "Next" and the following window should appear:

CA server installation, picture 5

Remember the URL http://cacerver/certsrv/mscep/mscep.dll, we will need it later.

Next, start the CA server from Start -> Programs -> Administrative Tools -> Certificate Authority. Check that you have two issued certificates, one for encryption and one for signing. There's really no difference in the certificate DN, you just have two different RA certificates.

CA server certificates

You should also take a look at the CA certificate. Right-click on the CA icon (" SCEP CA" in our example) and choose Properties -> View Certificate.

View CA certificate fingerprint

Write down the SHA1 thumbprint, or leave the window on your server console.

2. Configure OpenBSD gateway

Before we can enroll certificates for OpenBSD gateway, we must add SCEP support for the operating system. Download and compile SSCEP before proceeding.

Get CA certificate

Next, edit the file sscep.conf. For CA certificate, you need the following configuration file keys:

# URL of the SCEP server
URL             http://caserver/certsrv/mscep/mscep.dll

# This is one is needed with all operations
CACertFile      ./ca.crt

# Display fingerprint algorithm (md5/sha1)
FingerPrint     sha1

URL is the very same url presented in "Setup Successful" dialog earlier. Also note the FingerPrint, Windows2000 CA likes to present the certificate fingerprint using SHA1. Get CA certificate:

$ ./sscep getca -f sscep.conf
./sscep: requesting CA certificate
./sscep: valid response from server

./sscep: found certificate with
  subject: /C=FI/ RA
  issuer: /C=FI/ SCEP CA
  usage: Digital Signature, Non Repudiation
  SHA1 fingerprint: FC:3C:0E:16:9A:33:D5:5C:A7:E6:01:1F:96:94:4E:C4:79:44:BF:FD
./sscep: certificate written as ./ca.crt-0

./sscep: found certificate with
  subject: /C=FI/ RA
  issuer: /C=FI/ SCEP CA
  usage: Key Encipherment, Data Encipherment
  SHA1 fingerprint: 1E:8D:34:37:AF:49:08:31:9B:82:61:64:B3:19:59:FE:1E:11:30:51
./sscep: certificate written as ./ca.crt-1

./sscep: found certificate with
  subject: /C=FI/ SCEP CA
  issuer: /C=FI/ SCEP CA
  usage: Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
  SHA1 fingerprint: 5F:B2:7B:C5:0F:7A:78:4C:B2:09:E4:B0:54:DA:E0:AC:F5:B9:CD:E3
./sscep: certificate written as ./ca.crt-2

We got three certificates. The last one (bolded) is the actual CA certificate. That is because it is selfsigned (it doesn't have to be, but in our setup, stand-alone root CA, it is) and the usage says "Certificate Sign, CRL Sign". The other two are needed for communication with the CA (RA certificates). The one with "usage: Digital Signature, Non Repudiation" is signing RA certificate, and the other one with "usage: Key Encipherment, Data Encipherment" is for encryption. Check that the SHA1 fingerprint is right and verify other certificates:

$ openssl verify -CAfile ca.crt-2 ca.crt-0 ca.crt-1
ca.crt-0: OK
ca.crt-1: OK

Make certificate request

PKCS#10 certificate request and RSA private key are generated with the script mkrequest (included in the SSCEP package). Edit the variables in beginning of the script if your company policy requires some specific DN.

# Prefix - key will be named as PREFIX.key and request PREFIX.csr

# Additional DN components. Add if your company policy requires them.
# commonName is assigned automatically from the subjectAltName, or if your
# CA requires the use of unstructuredName as a DN, you must fill in
# the relevant attributes below.
# countryName (example: FI)
# stateOrProvinceName (example: Uusimaa)
# localityName (example: Helsinki)
# organizationName (example:
# organizationalUnitName (example: Sales)
# Some CAs may require you to use Cisco-style subject.
# OpenBSD isakmpd don't care about the subject, only that matter is the
# subjectAltName extension. If the CA won't honor that, the certificate
# is useless for isakmpd.

# RSA key length, minimum of 1024 recommended.

mkrequest takes three paramers, first one defines your subjectAltName type: -ip, -dns or -email. For gateway, we should use -ip or -dns. Second parameter is the actual subjectAltName. The last argument is optional challenge passphrase. In our example, we generate a request with IP address subjectAltName of without challenge passphrase:

$ ./mkrequest -ip
Generating RSA private key, 1024 bit long modulus
e is 65537 (0x10001)
Using configuration from .8824client.cnf

Enroll certificate

Before we can make the enrollment, we must add a few more configuration file keys.

# URL of the SCEP server
URL             http://caserver/certsrv/mscep/mscep.dll

# This is one is needed with all operations
CACertFile      ./ca.crt-0

# Private key created with mkrequest
PrivateKeyFile  ./local.key

# Where to write successfully enrolled certificate
LocalCertFile   ./local.crt

# If your CA/RA uses a different certificates for encyption
# and signing, define this
EncCertFile    ./ca.crt-1

Note that CACertFile is the signing RA certificate and EncCertFile is the other RA certificate. CA certificate is not needed in enrollment. When all is set up, enroll with the command:

$ ./sscep enroll -f sscep.conf
./sscep: sending certificate request
./sscep: valid response from server
./sscep: pkistatus: PENDING
./sscep: requesting certificate (#1)
./sscep: valid response from server
./sscep: pkistatus: PENDING
./sscep: requesting certificate (#2)
./sscep: valid response from server
./sscep: pkistatus: PENDING

OK, it is in state PENDING. Now you should see the request in CA server "Pending Requests". Issue the certificate:

Issue pending certificate request

The next request should be successful:

./sscep: requesting certificate (#NNN)
./sscep: valid response from server
./sscep: pkistatus: SUCCESS
./sscep: certificate written as ./local.crt

That's it! Install the files local.key, local.crt and ca.crt-2 so that isakmpd can find them:

Filename Install as

local.crt /etc/isakmpd/certs/local.crt
local.key /etc/isakmpd/private/local.key
ca.crt-2 /etc/isakmpd/ca/ca.crt

If you are not sure about the right CA certificate, you can verify your local certificate any time using command "openssl verify -CAfile ca.crt-2 local.crt".

Copyright and Disclaimer

This document is copyright (c) 2003 of Jarkko Turkulainen. Redistribution of the document, with or without modification, is permitted provided that the redistribution retain the above copyright notice.



Bug reports, discussion, etc.: Sorry, you have to write it!.

Last updated Jan 27 2003 Home