{"id":83,"date":"2018-10-19T15:30:43","date_gmt":"2018-10-19T18:30:43","guid":{"rendered":"http:\/\/www.joontech.nl\/wordpress\/?p=83"},"modified":"2018-10-19T15:30:43","modified_gmt":"2018-10-19T18:30:43","slug":"certificates-keys-ssl-and-openvpn-on-synology","status":"publish","type":"post","link":"http:\/\/wordpress.joontech.nl\/?p=83","title":{"rendered":"Certificates, keys, SSL and Openvpn on Synology"},"content":{"rendered":"

Crypto-systems and keys<\/h1>\n

Nice article here about safer key usage:
\nhttps:\/\/blog.g3rt.nl\/upgrade-your-ssh-keys.html<\/a><\/p>\n

Generate your new sexy Ed25519 key (EdDSA using Twisted Edward curves) and a robust RSA key (Rivest\u2013Shamir\u2013Adleman).<\/p>\n

ssh-keygen -o -a 100 -t ed25519\r\nssh-keygen -t rsa -b 4096 -o -a 100<\/pre>\n
Add these to the SSH agent via ssh-add:<\/p>\n
\u00a0ssh-add<\/pre>\n
OpenVPN<\/h1>\n
Important reading:
\nhttps:\/\/blog.g3rt.nl\/openvpn-security-tips.html<\/a><\/p>\n
https:\/\/community.openvpn.net\/openvpn\/wiki\/Concepts-Authentication<\/a><\/p>\n
There is a good tool that helps you create your key pairs and certificates for\u00a0OpenVPN with Client Certificates called easy-rsa<\/em>. But it does rely on the fact that you are your own Certificate Authority.<\/p>\n
We want to use CA-Cert<\/a>\u00a0to sign our certificates, so we must make a Certificate Signing Request<\/p>\n
Note that OpenSSL and OpenSSH use different formats for there keys. OpenSSH uses a propriety format PKCS#1 PEM-encoded for its private key, OpenSSL uses a standard format IIUC.<\/p>\n
For OpenVPN (SSL) we use the OpenSSL toolset to generate the certificates.
\nI could not find how to convert the private OpenSSH key to a OpenSSL format. So we will regenerate the keys with OpenSSL. (PEM format)<\/p>\n
OpenSSL command line cannot create\u00a0Ed25519 keys (not yet, anyway).<\/p>\n
openssl genpkey -algorithm RSA \\\r\n   -pkeyopt rsa_keygen_bits:4096\\\r\n   -pkeyopt rsa_keygen_pubexp:65537 | \\\r\n   openssl pkcs8 -topk8 -nocrypt -outform pem > rsa-4096-private-key.pem\r\n\r\nopenssl pkey -pubout -inform pem -outform pem \\\r\n -in rsa-4096-private-key.pem \\\r\n -out rsa-4096-private-key.spki<\/pre>\n
Some interesting readings on OpenSSL:
\nhttps:\/\/www.sslshopper.com\/article-most-common-openssl-commands.html<\/a><\/p>\n
Generate the CSR, fill in the details as required. You could leave everything empty if the certificate will only be used by OpenVPN. As your email address is not in the certificate, the certificate cannot be used to track you.<\/p>\n
openssl req -new -sha256 -key rsa-4096-private-key.pem -out rsa-4096-private-key.csr<\/pre>\n
Send this to\u00a0CA-Cert<\/a>, and receive a signed certificate from them by email.<\/p>\n
Information from certificates and CSRs can be obtained with this:<\/p>\n
openssl x509 -noout -subject -in\u00a0<certificate>.crt\r\nopenssl req -in <request>.csr -noout -text<\/pre>\n
The big question that now pops-up is if we trust\u00a0CA-Cert<\/a> enough to let them sign the certificates. If we would be our own Certificate Authority, we would know exactly which certificates we have signed.<\/p>\n
If you are using OpenVPN for your organisation it is probably better not to use any public certificates for OpenVPN but create your own CA and only accept certificates issued by this CA. This is actually the way proposed in the\u00a0OpenVPN Howto<\/a>. This way you are in full control of the certificates and even if some of the public CA’s gets compromised and issues certificates in your name then none of your OpenVPN endpoints will accept these, because only certificates issued by your own CA gets accepted.<\/p>\n
Apart from that: Using a self-signed certificate does not impose a risk by itself, not for VPN and not for HTTPS. The risk is only if the certificate is not fully validated. A self-signed certificate can not be validated without additional information. So if a client connects to a server,\u00a0the connection is\u00a0 encrypted, but the server is not verified.<\/p>\n
If the server is not verified a man in the middle attack is possible. This not only includes stealing the VPN credentials but intercepting the traffic or modifying the traffic. Since VPN connections are often considered as safe as internal connections inside the company the attacker can thus get access to interesting data or mount attacks against internal clients.<\/p>\n
Knowing this, we will need to add some extra security measures.<\/p>\n