Building an Active Directory Authenticated and Managed OpenVPN Server Part 3

Now that OpenVPN was all set up, the only thing left to do was the Automation. The script that I created, takes care of the certificate/key creation of the users, the configuration customization, the configuration delivery, the Certificate Revoke List creation and configuration updates. Since this article is almost exclusively about one script, I will first loose few words about each of the main functions and post the entire script afterwards.

Continue reading Building an Active Directory Authenticated and Managed OpenVPN Server Part 3

Building an Active Directory Authenticated and Managed OpenVPN Server Part 2

After I outlined the goals for my Project in the last Article, it is time to get to work. This Article will cover the installation and configuration of OpenVPN. I will also explain how chained certificates can be used with OpenVPN. If you follow the my steps, you will have functioning OpenVPN server at the end. My first step was to create a new KVM machine and install Debian Wheezy. I am going to skip the description and assume, that you already have a functioning Linux to install OpenVPN on.

Continue reading Building an Active Directory Authenticated and Managed OpenVPN Server Part 2

Building an Active Directory Authenticated and Managed OpenVPN Server Part 1

With my new PKI and my Active Directory up and running it was finally time to integrate my OpenVPN into the infrastructure I build over the last couple of months. While I had an OpenVPN running for years now, it was not integrated into any central user database and relied entirely on password protected certificates to authenticate users.

For my new OpenVPN server I considered and tested the OpenVPN Access Server. That is the Commercial Project of OpenVPN, it has a very nice and easy web interface and it is very easy to integrate into Active Directory. I had a test VM set up and all tests went without a glitch. This is probably a very nice solution for most companies and the licensing fees are very reasonable. I was seriously considering to simply buy a couple of licenses and be done with it. In the end however there was some functionality that i missed in the web interface (or maybe have not found). Ultimately i decided to build my own solution since the paid version would not have saved me a whole lot of time.

Continue reading Building an Active Directory Authenticated and Managed OpenVPN Server Part 1

Windows 8 Activating after a clean install of the Upgrade version

I recently moved my Windows 8 test machine from Virtual Box on my desktop to my Hypervisor. But instead of installing Windows 7 first, i installed Windows 8 directly. I could do this without trouble, but once it was installed, I could not activate it. After a little bit of google I found following solution: Continue reading Windows 8 Activating after a clean install of the Upgrade version

Implementing an SSL Certificate and the subordinate CA Certificate on Apache, Dovecot and Postfix

As promised, here a quick article on how to implement a certificate with chained trust into an Apache https server. You will need your server certificate and key and additionally the certificates of every intermediary Certificate Authority. Once you have those together move them to your web server. The key file should be kept in a directory with only root access. If you happen to have more than one intermediary Certificate Authority in your chain of trust you will have to put all the certificates into one file. The easiest way to do this is the following:

cat intermediate_intermediatecert_that_signed_the_server.pem intermediatecert2.pem intermediatecer3.pem > certchainfile_for_apache.pem

Once these preparations are finished, you need to open the config file of the virtual host. You need to adapt the following to lines to match the paths of your Certificates:

SSLCertificateFile /path/to/your_server_cert.crt
SSLCertificateKeyFile /path/to/your_server_key.key

They should be in the example SSL file provided by Apache. And in order to display your chain of trust you will need to add following line, tho show of the intermediary CA certificate(s):

SSLCertificateChainFile /path/to/Intermediary_CA_cert.crt

Restart Apache after this and you are finished. And while we are at it lets do Dovecot as well. Copy all the needed Certificates to your mail server. Dovecot does not seem to have a separate option for the trust chain. So just do the following:

 cat cert_mail_server.pem cert_intermediate_ca.pem > chained_cert.pem 

After this change the config file of dovecot “/etc/dovecot/dovecot.conf”:

ssl_cert_file = /path/to/chained_cert.pem ssl_key_file = /path/to/server_key.pem

And since we are on the mail server any, lets also change postfix. If your postfix is one the same Server as your Dovecot, you can simply use the files from dovecot. If not repeat the steps as shown for dovecot and then edit “/etc/postfix/main.cf”: 

 smtpd_tls_cert_file = /path/to/chained_cert.pem
smtpd_tls_key_file = /path/to/server_key.pem

Restart Dovecot and Postfix and your are done.

I used this Article as reference: Geeklab How to use chained SSL certificates

Automating the CRL generation and distribution of an OpenSSL Certificate Authority

In my previous Article i described, how i created the PKI for my Home Network. This time i will show you how i implemented a few small scripts to automate the necessary maintenance for my PKI. Continue reading Automating the CRL generation and distribution of an OpenSSL Certificate Authority

Building a PKI with OpenSSL

In preparation of my new OpenVPN Server, I needed a PKI (Private Key Infrastructure). A PKI is basically just a way of managing digital certificates. My software of choice for this is OpenSSL, it lets you create certificates for pretty much every usage scenario and SSL is the standard for many encryption scenarios. I actually build a new PKI for my web Servers, but there some issues with it, that convinced me to create an entirely new PKI instead of just a sub CA for OpenVPN. This time i am documenting my approach, mostly to actually have some documentation on the subject, but also to help others avoid the mistakes I made with my old PKI. Continue reading Building a PKI with OpenSSL

Migrating Postfix and Dovecot from a MySQL User-Database to Active Directory

When I set up my Active Directory, I wanted to migrate all services at home to authenticate against it. Now that I had the AD running and a few not so critical services used it, it was time finally migrate this one. I don’t have an Exchange-Server at home(nor do I want one) and my colleague who tested Openchange said it is not quite ready yet. So I will have to do without Exchange-extensions for the AD. I will still be able to do the basic management for my mail users in the AD, but I won’t be able to use any of the exchange extensions or tools for it. Continue reading Migrating Postfix and Dovecot from a MySQL User-Database to Active Directory

Linksys SPA 3102 – Making it Work with Asterisk

I wanted to look into asterisk a little, but that only makes sense if I have some kind of telephone line for it. I don’t have a VOIP line that I could simply move to an asterisk install, but I do however have an analog telephone line which don’t use so far. Naturally I wanted to use that and since this was mostly for messing around a little I wanted to keep the costs low. Continue reading Linksys SPA 3102 – Making it Work with Asterisk