Modified certificate generation to address issues #234 and #228

I have made the following modifications to comply with the IKEv2 client certificate requirements: - Changed client certificate CN to {{ IP_subject_alt_name }}_{{ item }} from {{ item }} - Changed client certificate SAN to {{IP_subject_alt_name }} from {{ item }} - Added clientAuth to client certificate EKU I have made the following changes to address a mismatch in the windows deployment script and file names: - Changed the client certificate (.p12) filename in config/{{ IP_subject_alt_name }} to {{ IP_subject_alt_name}}_{{ item }}.p12 from {{ item }}.p12 to match the ps1 script Testing: I have tested the changes on Windows 10 client, Ubuntu 16.04.1 server (DigitalOcean) - the config described in Issue #234 I apologize for not being able to test on other configurations. I hope that someone else can verify my changes
2025-09-06 20:13:11 +02:00 · 2017-02-10 12:53:15 +00:00 · 2017-02-10 12:53:15 +00:00 · a470671292
commit a470671292
parent 4567d280f7
3 changed files with 11 additions and 11 deletions
--- a/roles/vpn/tasks/main.yml
+++ b/roles/vpn/tasks/main.yml
@ -189,15 +189,15 @@
 - name: Build the client's pair
  local_action: >
-   shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
+   shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}_{{ item }}" -batch &&
-      openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
+      openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}_{{ item }}" &&
      touch certs/{{ item }}_crt_generated
  become: no
  args:
    chdir: "configs/{{ IP_subject_alt_name }}/pki/"
    creates: certs/{{ item }}_crt_generated
  environment:
-    subjectAltName: "DNS:{{ item }}"
+    subjectAltName: "DNS:{{ IP_subject_alt_name }}"
  with_items: "{{ users }}"
 - name: Build the client's p12
@ -212,7 +212,7 @@
  local_action:
    module: copy
    src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
-    dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
+    dest: "configs/{{ IP_subject_alt_name }}/{{IP_subject_alt_name }}_{{ item }}.p12"
    mode: 0600
  become: no
  with_items:
--- a/roles/vpn/templates/openssl.cnf.j2
+++ b/roles/vpn/templates/openssl.cnf.j2
@ -108,7 +108,7 @@ basicConstraints	= CA:FALSE
 subjectKeyIdentifier	= hash
 authorityKeyIdentifier	= keyid,issuer:always
-extendedKeyUsage = serverAuth,1.3.6.1.5.5.7.3.17
+extendedKeyUsage = serverAuth,clientAuth,1.3.6.1.5.5.7.3.17
 keyUsage = digitalSignature, keyEncipherment
 subjectAltName = ${ENV::subjectAltName}
--- a/users.yml
+++ b/users.yml
@ -63,15 +63,15 @@
    - name: Build the client's pair
      local_action: >
-        shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" -batch &&
+        shell openssl req -utf8 -new -newkey {{ algo_params | default('ec:ecparams/prime256v1.pem') }} -config openssl.cnf -keyout private/{{ item }}.key -out reqs/{{ item }}.req -nodes -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}_{{ item }}" -batch &&
-          openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ item }}" &&
+          openssl ca -utf8 -in reqs/{{ item }}.req -out certs/{{ item }}.crt -config openssl.cnf -days 3650 -batch -passin pass:"{{ easyrsa_CA_password }}" -subj "/CN={{ IP_subject_alt_name }}_{{ item }}" &&
          touch certs/{{ item }}_crt_generated
      become: no
      args:
        chdir: "configs/{{ IP_subject_alt_name }}/pki/"
        creates: certs/{{ item }}_crt_generated
      environment:
-        subjectAltName: "DNS:{{ item }}"
+        subjectAltName: "DNS:{{ IP_subject_alt_name }}"
      with_items: "{{ users }}"
    - name: Build the client's p12
@ -86,7 +86,7 @@
      local_action:
        module: copy
        src: "configs/{{ IP_subject_alt_name }}/pki/private/{{ item }}.p12"
-        dest: "configs/{{ IP_subject_alt_name }}/{{ item }}.p12"
+        dest: "configs/{{ IP_subject_alt_name }}/{{ IP_subject_alt_name }}_{{ item }}.p12"
        mode: 0600
      become: no
      with_items:
@ -94,7 +94,7 @@
    - name: Get active users
      local_action: >
-        shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g'
+        shell grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN={{ IP_subject_alt_name }}_//g'
      become: no
      args:
        chdir: "configs/{{ IP_subject_alt_name }}/pki/"
@ -110,7 +110,7 @@
        chdir: "configs/{{ IP_subject_alt_name }}/pki/"
        creates: crl/{{ item }}_revoked
      environment:
-        subjectAltName: "DNS:{{ item }}"
+        subjectAltName: "DNS:{{ IP_subject_alt_name }}"
      when: item not in users
      with_items: "{{ valid_certs.stdout_lines }}"