Install CA as standard user

Started by robertkwild, January 31, 2022, 03:40:28 PM

Previous topic - Next topic
Print
Go Down Pages1 2
User actions
January 31, 2022, 03:40:28 PM
Hi all,

Created a ipsec ikev2 eap mschapv2 and I can connect to it via my mobile and a Windows 10 client no problem

Obviously need to install the CA on the client which is fine but what about if the user is a standard user on Windows 10 and they can't install the CA as he's a standard user, not admin

How can this be done please

Thanks,
Rob
February 02, 2022, 05:37:29 PM #1
any help in this please

as when i do install the CA as a standard user in "trusted root CAs" its saved it but when i then login to my ipsec server it doesnt connect, just gives me error

IKE authentication credentials are unacceptable

it works when i install the CA as admin tho

any help would be much appreciated
February 02, 2022, 05:53:33 PM #2
I import the CA certificate with a PowerShell script that I run as administrator with extended rights.


February 02, 2022, 06:42:29 PM #3
cool

thing is there are work pcs and they dont have admin rights to install the CA
February 02, 2022, 06:49:28 PM #4
It is not possible to change the certificate store as a normal user by design - for security reasons.


https://docs.microsoft.com/en-us/windows-hardware/drivers/install/trusted-root-certification-authorities-certificate-store
February 02, 2022, 06:56:08 PM #5
what about importing the server cert as a normal user instead of the CA, will that work?
February 02, 2022, 07:13:48 PM #6
No, that will not work.

Have you already tried to provide the OPNsense with an ACME certificate and use that for authentication ?
The CA certificates from Let's Encrpyt should already be in the cert store.
February 02, 2022, 07:18:18 PM #7
atm, im creating the cert both CA and server cert using the opnsense create self signed cert method

you thing i should change to lets encrypt certs?
February 02, 2022, 07:21:27 PM #8
Yes, then you no longer have to import the CA certificates into Windows, because they should already be there.
February 02, 2022, 08:23:50 PM #9
Thanks atom

Is there a good how to to do this

I imagine I need to install the lets encrypt package on opnsense
February 02, 2022, 08:31:39 PM #10
Yes, you're right - os-acme-client . You can find a short documentation of the plugin here:


https://github.com/opnsense/plugins/pull/66
February 02, 2022, 08:37:33 PM #11
Thanks atom,

Would I need to import the lets encrypt cert under

System > trust > authorities
February 02, 2022, 08:59:31 PM #12
No, you do not have to do this manually. It is installed automatically by ACME when the certificate process has been successfully completed.
February 03, 2022, 12:19:20 PM #13
thanks atom

obviously i will need to open port 80 to my WAN address ie opnsense firewall, is that a security risk
February 03, 2022, 12:39:17 PM #14
Every open port in a firewall is a potential security risk.
I'll use DNS-01. No port needs to be opened for this.
Print
Go Up Pages1 2
User actions