OpenVPN and Active Directory Based PKI Gotchas
I am in the process of setting up my lab environment fully based on Enterprise Server 2008R2 Hyper-V. Migrating my Repository Server, SQL Server, Web Server and the Domain Controller has been quite easy, however my newly setup OpenVPN appliance caused me some serious headaches.
Since OpenVPN and some other services that I do regularly use rely on Certificates (Github, Apple Developer Connection) I thought it might be a wise idea to use Active Directory Certificate Services with Auto-Enrollment and Auto-Renewal for the various certificates I need. While this in itself works far more reliable than in my old Windows Server 2003 setup, I couldn’t get the OpenVPN CryptoAPI integration (cryptoapicert) to work in the first place. Here’s a quick rundown of what I have done to make it work:
Steps For AutoEnrollment:
- Create two AD Computer Groups, OpenVPN Servers and OpenVPN Clients
- Join Computers to those groups accordingly
- Configure Computer and User Group Policy to enable Auto-Enrollment (see http://technet.microsoft.com/en-us/library/cc731522.aspx), run gpupdate on the clients/servers
- Go to Certificate Authority Manager, Select “Certificate Templates” and then “Manage” from the context menu
- Create two new certificate templates by duplicating the “Computer” and “User” template. Under Subject Name, select DNS name and Fully distinguished name for Subject name format. Under Security, add the appropriate group (server/clients) and allow Read, Enroll and Autoenroll. The extensions persisted in the certificate can be ignored.
- Log on to your client/server, run mmc and add a Certificate Snap/In for Computer/User. Make sure you have got your certs, or manually trigger autoenrollment by right-clicking the Certificate Snap-In node, All Tasks, Automatically enroll…
- Now that you have this setup, make OpenVPN use these certs:
- Export your CA cert and specify it to openvpn, e.g. (in server.ovpn): ca ca.cer
- Specify your computer/user cert e.g. (in server.ovpn): cryptoapicert “THUMB: ff ad …” or cryptoapicert “SUBJ:VPN.conso.com”
- The OpenVPN Service or the OpenVPN GUI need to be run with Administrator Rights to access the certificate store. Else you may get the following error message: “Cannot load certificate “SUBJ:RUNOPS.runworks.com” from Microsoft Certificate Store: error:C5066064:microsoft cryptoapi:CryptAcquireCertificatePrivateKey:Keyset does not exist”
- For the template used to issue certificates to users/computers you must not select Windows 2008 CA compatible! Select Windows 2003 CA compatibility. Else you may get the following error message: “Invalid provider type specified”
Hope this saves someone else the pain of going through this.