OpenVPN with a Windows Certificate Services PKI

has anyone tried using OpenVPN with certificates generated by Windows Certificate Services? In theory this should work.

The provided easy-rsa PKI is not very comfortable to manage for many users. I do already have a ActiveDirectory set up and I'd ideally want to have AD integration for the certificates. I have followed this guide to set auto enrollment for a user group. However i cant even make sure if the corresponding user has been succesfully assigned a certificate. It seems overly complex to me.

http://www.isaserver.org/img/upl/vpnkitbeta2/autoenroll.htm


Solution 1:

Yep, it's perfectly possible. x509 is x509.

OpenVPN 2.1 (beta, but perfectly stable) supports CryptoAPI. We use it one a daily basis.

To use your existing PKI just give the OpenVPN server a copy of the CA. You can specify which clients can login in, if you don't want everyone on the CA to have access, by using CCD. Then place the following in your client configs:

cryptoapicert "THUMB:<cert_thumb>"

You can copy/paste the <cert_thumb> from the certificate details in the Windows personal cert store.

Auto Enroll is a pain and it's been a while since I struggled with it. But it does work, eventually.