What's the point of linking users to certificates for OpenVPN?

[moware]

At the bottom of VPN: OpenVPN: Client Export, I can see which certificates are linked to which users.

I thought that the purpose of this was to ensure that only these combinations of certificate+user are valid, i.e. that a user can only log in with a certificate linked to them.

But it appears that I was mistaken: I just tried connecting with my personal login data and a certificate which is not linked to any user yet and... to my surprise, it just worked.

If that is not the purpose of linking certificates with users, what is the purpose?

Thanks for enlightening me
Heinzi

(Note: I know that I can configure OpenVPN to match user names and certificate CNs. That's not what my question is about. My question is about the linking between users and certificates that can be configured in System: Access: Users: (Choose user): User certificates, and which is shown in VPN: OpenVPN: Client Export.)

[banym]

The certificate expires. If you create a certificate for each user you can deploy a unique certificate for each user. If the certificate expires or is revoked by your CA the user can't login even if he has still a valid login.

We give certificate with limited lifetime to external people or for external project members to ensure the access need to be renewed manually.

[moware]

@banym: Yes, using expiring certificates is definitely useful. Unfortunately, however, I do not see how this is related to my question...

[banym]

I think the option you are looking for is: Strict User/CN Matching

[klontje]

I think the option you are looking for is: Strict User/CN Matching

I think he mentioned explicitly that he is not looking for that and is aware of that feature 

What he wants to know is what is the value of linking certificates to users when not enabling this feature. My 2 cents; it probably does not provide any value except for administrative purposes and the ability to enable the strict linking.

[banym]

Ah sorry 

Yes, I agree without using one of that features and don't want to be able to revoke certificates per user. I don't see added value, too.

[Mks]

I'm not sure if I got your point but let's give it a try.

Basically you can use to establish a VPN connection with "any" valid certificate signed by your trusted CAs and the associated private key. It is not necessary that you link those to the user (except you use the CN match option).

But you must not share  private keys with multiple users. Therefore you create for each user a separate certificate (and private key) which you can individually revoke (e.g employee leaves the company, private key compromised etc ...). With the linkage to the user you've a clear assignment and ownership.

You'll get in a lot of trouble if you use the same certificate and private key for multiple users. In worst case if the VPN is used by 1000 Users and only one if compromised you need to block access for all and provision to all new ones.

br
 

[moware]

What he wants to know is what is the value of linking certificates to users when not enabling this feature. My 2 cents; it probably does not provide any value except for administrative purposes and the ability to enable the strict linking.

Well, the documentation of the "Strict User/CN Matching" option says:

When authenticating users, enforce a match between the Common Name of the client certificate and the username given at login.

which I would interpret such that the CN and the user name must be an exact string match. So, apparently, that's a completely different feature than the "linking certificates" of opnsense, which allows me to link arbitrary certificates and logins (irrespective of the certificate's Common Name!).

So, linking certificates and logins is only useful for administrative purposes...?

[franco]

Basically, yes, the client export feature profits from this association.

I think this is most useful by adding certificates for the user directly in the user manager where the CN is automatically correct.

A lot of fluff, but definitely useful in terms of "reserved for future use".


Cheers,
Franco