Author Topic: Install CA as standard user (Read 4699 times)

robertkwild · « **on:** January 31, 2022, 03:40:28 pm »

Hi all,

Created a ipsec ikev2 eap mschapv2 and I can connect to it via my mobile and a Windows 10 client no problem

Obviously need to install the CA on the client which is fine but what about if the user is a standard user on Windows 10 and they can't install the CA as he's a standard user, not admin

How can this be done please

Thanks,
Rob

robertkwild · « **Reply #1 on:** February 02, 2022, 05:37:29 pm »

any help in this please

as when i do install the CA as a standard user in "trusted root CAs" its saved it but when i then login to my ipsec server it doesnt connect, just gives me error

IKE authentication credentials are unacceptable

it works when i install the CA as admin tho

any help would be much appreciated

atom · « **Reply #2 on:** February 02, 2022, 05:53:33 pm »

I import the CA certificate with a PowerShell script that I run as administrator with extended rights.

robertkwild · « **Reply #3 on:** February 02, 2022, 06:42:29 pm »

cool

thing is there are work pcs and they dont have admin rights to install the CA

atom · « **Reply #4 on:** February 02, 2022, 06:49:28 pm »

It is not possible to change the certificate store as a normal user by design - for security reasons.

https://docs.microsoft.com/en-us/windows-hardware/drivers/install/trusted-root-certification-authorities-certificate-store

robertkwild · « **Reply #5 on:** February 02, 2022, 06:56:08 pm »

what about importing the server cert as a normal user instead of the CA, will that work?

atom · « **Reply #6 on:** February 02, 2022, 07:13:48 pm »

No, that will not work.

Have you already tried to provide the OPNsense with an ACME certificate and use that for authentication ?
The CA certificates from Let's Encrpyt should already be in the cert store.

robertkwild · « **Reply #7 on:** February 02, 2022, 07:18:18 pm »

atm, im creating the cert both CA and server cert using the opnsense create self signed cert method

you thing i should change to lets encrypt certs?

atom · « **Reply #8 on:** February 02, 2022, 07:21:27 pm »

Yes, then you no longer have to import the CA certificates into Windows, because they should already be there.

robertkwild · « **Reply #9 on:** February 02, 2022, 08:23:50 pm »

Thanks atom

Is there a good how to to do this

I imagine I need to install the lets encrypt package on opnsense

atom · « **Reply #10 on:** February 02, 2022, 08:31:39 pm »

Yes, you're right - os-acme-client . You can find a short documentation of the plugin here:

https://github.com/opnsense/plugins/pull/66

robertkwild · « **Reply #11 on:** February 02, 2022, 08:37:33 pm »

Thanks atom,

Would I need to import the lets encrypt cert under

System > trust > authorities

atom · « **Reply #12 on:** February 02, 2022, 08:59:31 pm »

No, you do not have to do this manually. It is installed automatically by ACME when the certificate process has been successfully completed.

robertkwild · « **Reply #13 on:** February 03, 2022, 12:19:20 pm »

thanks atom

obviously i will need to open port 80 to my WAN address ie opnsense firewall, is that a security risk

atom · « **Reply #14 on:** February 03, 2022, 12:39:17 pm »

Every open port in a firewall is a potential security risk.
I'll use DNS-01. No port needs to be opened for this.

Author Topic: Install CA as standard user (Read 4699 times)

robertkwild

Install CA as standard user

robertkwild

Re: Install CA as standard user

atom

Re: Install CA as standard user

robertkwild

Re: Install CA as standard user

atom

Re: Install CA as standard user

robertkwild

Re: Install CA as standard user

atom

Re: Install CA as standard user

robertkwild

Re: Install CA as standard user

atom

Re: Install CA as standard user

robertkwild

Re: Install CA as standard user

atom

Re: Install CA as standard user

robertkwild

Re: Install CA as standard user

atom

Re: Install CA as standard user

robertkwild

Re: Install CA as standard user

atom

Re: Install CA as standard user