1

I have embedded devices that are located in different cites and connected to my OpenVPN server. I initialize my devices before deploying them and put the certificate/key pair through local network. When the devices go online at the remote site they are connected to my openVPN server via private tunnel. I am using OpenVPN version:2.3.10 with EasyRSA on Ubuntu 16.04 LTS

Now the certificates are about to expire. How can I renew the certificates on these devices? I am thinking of 2 approaches.

Approach 1) A script on the device checking the validity of the certificate every month or so and when the certificate is about to expire it should send a certificate generation request(a standard https get request or similar). On the server end, only requests coming from private tunnel should be served. A certificate/key with same CN should be generated and transfered to the client.

Problems with apporach 1)

  • How should the cert/key pair be transferred securely ? i dont want to exchange clients private key via network.
  • The whole process should be automated so i can also not put the key manually.
  • How should the cert/key generated on the server? i also dont want the apache web user i.e www-data to have access to my easyRSA folder.

Approach 2) Generate Private key at the client end (my embedded device). Create a Certificate signing request (CSR) send it to OpenVPN server (which is also my CA). The CA generates a certificate and sends back the client certificate.

Problems with apporach 2)

  • How to authenticate CSR ? how can i know that the CSR is coming from my embedded device and not some attacker. The only way that i can assure is, if the CSR is coming from the private tunnel.

  • In case if the certificate on my embedded device expires before renewal then the private tunnel would not exist. How can i authenticate CSR in this case?. Any one with CA.crt (CAs public key) can generate a private key and send a CSR to CA.

I think approach 2 seems more reasonable and secure but i dont know the solution to the problems i am facing. I want to know if I have a correct understanding of security? or if there is something I am missing. Also if i go with approach 2, how would the implementation look like? i know the theory but i dont know how to create CSR and send it to CA. And on CA end how to receive a CSR and generate a cert and send it back.

Ahmad Karim
  • 111
  • 1
  • 4

1 Answers1

1

Since this is old, how did you solve it?

My thoughts both use a simple API to drive part of the process:

Approach 1

This can work if you have your client check the certificate, and if it's due to expire, it can ask for a new certificate. This doesn't need to be a CSR or anything, but instead a private API that can generate a new cert. You need rudimentary logic to authenticate the client before providing the new cert. Back on the client, your script can replace the certificate used to log in.

Approach 2)

This might be useful combined with an API. Setup an HTTPS API on your client, with a secret URL, where you can push new certificates. If that doesn't work, maybe have a script on your server to allow expired certificates in certain conditions.

Another Note

Don't expire your certificates and instead lean on the revocation mechanism

TonyH
  • 111
  • 2
  • Thanks for your answer! I never really solved this I just changed the whole system in a way that devices have a valid certificate for a longer period of time and I separate my CA, My Front end, and back end. before it was all in one place. Also, I found out instead of implementing all this myself there are tools such as OpenCA, OpenXPKI, Dogtag etc. even though I never used these tools but if I had known about them earlier I would have explored this direction. – Ahmad Karim Jan 17 '20 at 07:17
  • Have you ever tried Hashcorp Vault? It can do a lot of those things and act as a secure secret store. Will check out OpenCA etc. – TonyH Feb 03 '20 at 22:24