From a4706712927ab64333961d116406a0a0a1f83439 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 10 Feb 2017 12:53:15 +0000 Subject: [PATCH] Modified certificate generation to address issues #234 and #228 I have made the following modifications to comply with the IKEv2 client certificate requirements: - Changed client certificate CN to {{ IP_subject_alt_name }}_{{ item }} from {{ item }} - Changed client certificate SAN to {{IP_subject_alt_name }} from {{ item }} - Added clientAuth to client certificate EKU I have made the following changes to address a mismatch in the windows deployment script and file names: - Changed the client certificate (.p12) filename in config/{{ IP_subject_alt_name }} to {{ IP_subject_alt_name}}_{{ item }}.p12 from {{ item }}.p12 to match the ps1 script Testing: I have tested the changes on Windows 10 client, Ubuntu 16.04.1 server (DigitalOcean) - the config described in Issue #234 I apologize for not being able to test on other configurations. I hope that someone else can verify my changes --- roles/vpn/tasks/main.yml | 8 ++++---- roles/vpn/templates/openssl.cnf.j2 | 2 +- users.yml | 12 ++++++------ 3 files changed, 11 insertions(+), 11 deletions(-) diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 16b0bf14..17d1bc82 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -189,15 +189,15 @@ - name: Build the client's pair local_action: > - shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch && - openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" && + shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}_{{ item }}" -batch && + openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}_{{ item }}" && touch certs/{{ item }}_crt_generated become: no args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" creates: certs/{{ item }}_crt_generated environment: - subjectAltName: "DNS:{{ item }}" + subjectAltName: "DNS:{{ IP_subject_alt_name }}" with_items: "{{ users }}" - name: Build the client's p12 @@ -212,7 +212,7 @@ local_action: module: copy src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12" - dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12" + dest: "configs/{{ IP_subject_alt_name }}/{{IP_subject_alt_name }}_{{ item }}.p12" mode: 0600 become: no with_items: diff --git a/roles/vpn/templates/openssl.cnf.j2 b/roles/vpn/templates/openssl.cnf.j2 index 415557f8..9ec12b2d 100644 --- a/roles/vpn/templates/openssl.cnf.j2 +++ b/roles/vpn/templates/openssl.cnf.j2 @@ -108,7 +108,7 @@ basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always -extendedKeyUsage = serverAuth,1.3.6.1.5.5.7.3.17 +extendedKeyUsage = serverAuth,clientAuth,1.3.6.1.5.5.7.3.17 keyUsage = digitalSignature, keyEncipherment subjectAltName = ${ENV::subjectAltName} diff --git a/users.yml b/users.yml index c9837a26..74826b48 100644 --- a/users.yml +++ b/users.yml @@ -63,15 +63,15 @@ - name: Build the client's pair local_action: > - shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch && - openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" && + shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}_{{ item }}" -batch && + openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}_{{ item }}" && touch certs/{{ item }}_crt_generated become: no args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" creates: certs/{{ item }}_crt_generated environment: - subjectAltName: "DNS:{{ item }}" + subjectAltName: "DNS:{{ IP_subject_alt_name }}" with_items: "{{ users }}" - name: Build the client's p12 @@ -86,7 +86,7 @@ local_action: module: copy src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12" - dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12" + dest: "configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.p12" mode: 0600 become: no with_items: @@ -94,7 +94,7 @@ - name: Get active users local_action: > - shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g' + shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN={{ IP_subject_alt_name }}_//g' become: no args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" @@ -110,7 +110,7 @@ chdir: "configs/{{ IP_subject_alt_name }}/pki/" creates: crl/{{ item }}_revoked environment: - subjectAltName: "DNS:{{ item }}" + subjectAltName: "DNS:{{ IP_subject_alt_name }}" when: item not in users with_items: "{{ valid_certs.stdout_lines }}"