Opened 6 years ago

Last modified 5 years ago

#530 assigned Feature Wish

OpenVPN-GUI Dynamic client FQDN and cryptoapi certificate selection

Reported by: liamdennehy Owned by: Heiko Hund
Priority: minor Milestone:
Component: Windows GUI Version: OpenVPN 2.3.5 (Community Ed)
Severity: Not set (select this one, unless your'e a OpenVPN developer) Keywords: windows
Cc:

Description

Hello. I am trying to use OpenVPN-GUI using the CryptoAPI to retrieve the machine's certificate which is working fine (so fine I think it resolves bug 388?). The issue is that the SUBJ: requirement for locating the correct certificate is specific to each system, meaning I cannot use a common ovpn configuration file, or would need to generate it dynamically for each installation.

The default for Active Directory Certificate Services is to use the machine FQDN (hostname.AD-domain-name) as the certificate CN for autoenrolled or manually-enrolled computer certificates. I would like OpenVPN-GUI to use information in the registry to compile this FQDN and submit it to the openvpn.exe as a parameter to the CryptoAPICert command for the SUBJ: field, meaning no client-specific changes to a configuration file. this also means the client can work out-the-box more easily for sites that deploy computer certificates in this way (once a valid configuration file is defined).

The machine FQDN can be complied by retrieving the following two Windows Registry String values:
HKLM/System/CurrentControlSet/services/Tcpip/Parameters: Hostname
HKLM/System/CurrentControlSet/services/Tcpip/Parameters: Domain

There are NV Domain and NV Hostname parameters also present, but I do not believe they are more functional than the two above: Any disparity between the values of each respective key is likely a highly customised environment not worth supporting in this way.

Apologies for not proposing a GUI enhancement myself, but this seems like something a tickbox would achieve in the GUI, with an associated registry key which can be easily controlled by Windows policy. I would propose a directive in the configuration file but this may not be appropriate as it does not apply to non-windows clients.

Change History (1)

comment:1 Changed 5 years ago by Samuli Seppänen

Keywords: windows added
Owner: set to Heiko Hund
Status: newassigned
Note: See TracTickets for help on using tickets.