Private CA#

In case your organization wants to run the VPN server without relying on (public) CAs like e.g. Let’s Encrypt or HARICA, it is possible to use your own private CA.

We assume you have your own managed CA and organized appropriate security for it, but at the end of this document you find how we created our Testing CA to test this scenario.

Server Configuration#

Follow the TLS Certificate instructions to point it to the server certificate you created in your private CA. You MAY need to properly configure the chain as well, depending on your CA.

It is probably a good idea to trust the CA you created on the VPN server itself as well. How to do this depends on your server OS.

After you performed the steps below for your OS, you should be able to run the following command and NOT get an error regarding TLS, but see some JSON output:

$ curl https://vpn.example.org/.well-known/vpn-user-portal

If this doesn’t work you need to fix that first. Make sure you properly configured the TLS chain (if applicable), restarted the web server, added the correct CA certificate to your trust store, and checked the file permissions of the certificate.

Debian / Ubuntu#

TBD.

Fedora / EL#

Run the commands below, where ca.crt is your private CA’s “root” certificate:

$ sudo cp ca.crt /etc/pki/ca-trust/source/anchors
$ sudo update-ca-trust extract

This adds your CA to the trusted CA database in a sustainable way, i.e. it will remain when the system CA database is updated, e.g. through a package update.

Client Configuration#

When using the VPN client, i.e. eduVPN or Let’s Connect! you need to configure your operating system to trust the CA. How this is done depends on the system.

Most organizations probably have a way to deploy a CA to their managed devices, or already have, so the client instructions can be skipped. The instructions below are for manual setup by end-users.

Windows#

On Windows you can import the Root CA in certmgr, both for the local system as well as the current user. To install for your current user, you can open the Start menu and search for “Manage user certificates”. For the local system you can search for certmgr.

Once you open the certificate manager select “Trusted Root Certification Authorities”. From the menu choose “Action”, then “All Tasks”, and finally “Import…”. Follow the wizard, select your CA certificate file and make sure the “Place all certificates in the following store” is set to “Trusted Root Certification Authorities”.

macOS#

TBD.

Linux#

TBD.

Android#

TBD.

iOS#

NOTE: if you enabled Lockdown Mode on your iOS device, this will NOT work.

Copy the CA to your device, ideally using a trusted mechanism like storing it on a public web server protected by TLS and then downloading it using Safari.

Once you try to open the file it will show a dialog that says “Profile Downloaded”. It instructs you to go into the “Settings” app to install it.

When you go to “Settings”, near the top it will show “Profile Downloaded”. You can open it, and it well show your CA there. There is an “Install” button in the top right. Click it. Enter your “Passcode” or other security mechanism you have set up. It will then ask you to confirm. Click again “Install”. And again. Then click “Done”.

That concludes the installation part, now it still needs to be trusted. Again, go to “Settings”, but this time to “General”, then “About”. Scroll to the bottom and there you’ll see “Certificate Trust Settings”. When you open that, you’ll see your CA with a “toggle” that you have to switch on. Confirm the action and you should be done!

Try to visit your VPN server now in Safari, that should work! If it does, it will also work from the VPN apps.

Browser Configuration#

Firefox on Linux#

Firefox has its own certificate store (on Linux). So for the OAuth flow that involves the browser, the CA needs to be added to Firefox as well if Firefox is the default browser.

You can add a CA certificate by going to “Settings”, “Privacy & Security”, “View Certificates” under “Security / Certificates”. Select the tab “Authorities” and click the “Import…” button. Find your private CA certificate file and select it in the dialog and click “Open”. In the dialog that appears now, make sure the checkbox in front of “Trust this CA to identify websites” is checked. Click “OK” and then again “OK”. You should be done!

On Windows, macOS and Android, the system CA store is used.

Testing CA#

We use the vpn-ca component installed on your VPN server to generate the CA and the server certificate.

We create a CA, constrain it to the example.org domain, but allow for subdomains of example.org.

$ vpn-ca \
    -init-ca \
    -name "My Test Root CA" \
    -domain-constraint .example.org \
    -not-after $(date -d "+30 days" +%FT%T%:z)

We create a server certificate now that expires together with the CA:

$ vpn-ca -server -name vpn.example.org -not-after CA

Follow the TLS Certificate instructions to point it to the server certificate you created above. You do NOT need to configure the chain, as there is no chain. The server certificate is issued directly by the CA.