Opened 9 years ago
Last modified 9 years ago
#530 assigned Feature Wish
OpenVPN-GUI Dynamic client FQDN and cryptoapi certificate selection
Reported by: | liamdennehy | Owned by: | Heiko Hund |
---|---|---|---|
Priority: | minor | Milestone: | |
Component: | Windows GUI | Version: | OpenVPN 2.3.5 (Community Ed) |
Severity: | Not set (select this one, unless your'e a OpenVPN developer) | Keywords: | windows |
Cc: |
Description
Hello. I am trying to use OpenVPN-GUI using the CryptoAPI to retrieve the machine's certificate which is working fine (so fine I think it resolves bug 388?). The issue is that the SUBJ: requirement for locating the correct certificate is specific to each system, meaning I cannot use a common ovpn configuration file, or would need to generate it dynamically for each installation.
The default for Active Directory Certificate Services is to use the machine FQDN (hostname.AD-domain-name) as the certificate CN for autoenrolled or manually-enrolled computer certificates. I would like OpenVPN-GUI to use information in the registry to compile this FQDN and submit it to the openvpn.exe as a parameter to the CryptoAPICert command for the SUBJ: field, meaning no client-specific changes to a configuration file. this also means the client can work out-the-box more easily for sites that deploy computer certificates in this way (once a valid configuration file is defined).
The machine FQDN can be complied by retrieving the following two Windows Registry String values:
HKLM/System/CurrentControlSet/services/Tcpip/Parameters: Hostname
HKLM/System/CurrentControlSet/services/Tcpip/Parameters: Domain
There are NV Domain and NV Hostname parameters also present, but I do not believe they are more functional than the two above: Any disparity between the values of each respective key is likely a highly customised environment not worth supporting in this way.
Apologies for not proposing a GUI enhancement myself, but this seems like something a tickbox would achieve in the GUI, with an associated registry key which can be easily controlled by Windows policy. I would propose a directive in the configuration file but this may not be appropriate as it does not apply to non-windows clients.
Change History (1)
comment:1 Changed 9 years ago by
Keywords: | windows added |
---|---|
Owner: | set to Heiko Hund |
Status: | new → assigned |