OpenVPN relies on cryptographic keys and certificates for secure communication between a VPN client and the remote server. The WWPass PassKey Two-Factor Authentication technology, in conjunction with Microsoft CryptoAPI, can fortify those keys and give users and systems administrators peace of mind by taking the challenge of protecting private cryptographic information out of their hands. The number one issue with distributing private keys and certificates is that the storage which now houses that private information (generally a user’s PC) is significantly less secure than the server which generated the keys in the first place. This provides an attacker with a weak link so they can attempt to steal those keys (which would essentially give them access to the remote VPN server while they impersonate the user who originally owned the keys).
Using the WWPass Passkey 2FA and Microsoft CryptoAPI to guard user keys takes your network’s VPN security to the next level by protecting keys which a systems administrator typically would not be able to track or audit. When a systems administrator hands out certificates and keys to a VPN user, that’s where assurance of security goes out the window. As soon as that user walks away, there’s no telling where or how that user will use or store those keys or who else has access to those systems. The WWPass PassKey Cryptographic Token forces the user to be secure by requiring two-factor authentication (something the user knows, a Pass Code, and something the user has, the cryptographic token).
OpenVPN provides support for Microsoft’s CrpytoAPI Certificate Store but the documentation around its use is weak at best. This will provide a quick walk-through on using your PassKey with OpenVPN. This tutorial assumes you already have an issued PKCS#12 certificate and key pair already loaded onto your PassKey. If you have a PKCS#12 file and need to push it to your PassKey or if you have the private key and certificate in their individual components, please follow the guide here for steps on how to create PKCS#12 files and to push them to your PassKey: Securing OpenSSH with WWPass PassKey
Certificate Thumbprint
A PKCS#12 certificate “thumbprint” is a hash of the certificate uniquely identifying that specific certificate. It’s an easy way to tell another software that you intend to you a specific certificate for authentication instead of prompting every time. Thumbprints also solve issues related to using a certificate’s “Subject” line which is not unique information and can run into issues where a user has two or more certificates using the same name.
There’s two easy ways of finding your certificate’s thumbprint. You can either use Internet Explorer to browse the certificate store or you can use the WWPass Dashboard. Either method is valid but currently the WWPass Dashboard does not include any mechanism to copy and paste the thumbprint text so you’ll have to manually type it in.
The Internet Explorer Way:
Open Internet Explorer and click on the “cog” icon in the upper right corner. Then in the drop-down menu select Internet Options. Within the Content tab, click on the Certificates button. Here will be a full list of your certificates loaded in the Microsoft Certificate Store. Navigate to your VPN client certificate and double click the certificate. Under the Details tab you can find the Thumbprint field. You can now select and copy the contents of the thumbprint field.
Note: Sometimes the thumbprint field will contain a non-ASCII character before the first hex pair. If you try to save the exact text in notepad it will warn you. Please remove this first blank space (before the first hex pair) to avoid this issue.
The WWPass Dashboard Way:
Open the WWPass Dashboard software by clicking on its icon in the bottom right Windows Task bar. Click on the Certificates tab to view all loaded PKCS#12 certificates. Click on the Certificate Name of your VPN certificate to view the Certificate Details dialog. At the bottom of that dialog you can see your certificate thumbprint in the SHA1 Fingerprint field.
OpenVPN Client Config File
Now we need to actually point OpenVPN to our certificate for use. For this we will use the cryptoapicert option and we will need to specify that we intend to use a certificate thumbprint as an identifier. Here’s an example configuration file using a certificate within the Microsoft Certificate Store. If you don’t already have the WWPass Root CA certificate you can download it from the WWPass Developers website.
# Specify that this is a client configuration
client# Specify transport protocol to use
proto udp# Let OpenVPN know that we want to use Microsoft CryptoAPI for Two-Factor Auth and we
# have specified the certificate to use by its thumbprint identifier
# Note: When copying the thumbprint from IE, there may be non-ASCII characters at the
# start of the thumbprint, please remove those when copying. Also, if you’ve directly
# copied this config, the parenthesis will be non-standard, please replace them with
# normal parenthesis.
cryptoapicert “THUMB:7a 3d 1d c8 35 26 91 87 e5 7d f7 ca 8e 88 a5 1c bf 46 9f da”resolv-retry 20
keepalive 10 120# Advertise encryption to use, must match the server-side configuration
cipher AES-256-CBCnobind
mute-replay-warnings
ns-cert-type server
comp-lzo
persist-key
persist-tun# Verbosity level
verb 5
dev tun# Remote server and port to connect to
remote joscor.com 4605# Root Certificate Authority (CA) certificate
ca ‘C:\\Program Files (x86)\\OpenVPN\\certs\\joscor-vpn-ca.crt’
