choose an existing certificate for user in opnsense 24.7.X

[davidit29]

since version 24.7, it seems impossible to choose an existing client certificate for a user, it was possible to do it before in version 24.1.X.
This is something known, I have not found a solution except to modify the configuration file manually.
Thanks in advance if someone can provide a solution!

[chimmmpie]

I noticed the same issue.

As a side note i don't think opnsense does much with the certificate connection to the user but still it should be possible.

[chimmmpie]

Here is a link to a related issue: https://github.com/opnsense/core/issues/7845

[franco]

This was discussed a couple of times. A link is made when the CNs of the user and the certificate meet (which is when the certificate is actually the user's certificate).


Cheers,
Franco

[chimmmpie]

Agree to disagree.

As a sysadmin i am the one who decides on what certificate belongs to what user. Not any kind of rule from any kind of system.

If i decide the issue a certificate per user device it will never match the username because i use the device name.

It still would be nice to be able to connect the user to that certificate. It would be even better if opnsense would enforce the certificate usage to only the given user or users if that certificate is linked to more than one user.

@franco could u elaborate on the direction opnsense is going with this. And/or any other places where we could have a discussion on it.

[franco]

> Agree to disagree.

Fair enough.

> @franco could u elaborate on the direction opnsense is going with this. And/or any other places where we could have a discussion on it.

Can you narrow your scope of the question. Do you talk about TLS user auth in OpenVPN or something else?


Cheers,
Franco

[chimmmpie]

I mean the connection between the certificate and user in the opnsense UI.

[franco]

I've asked a simple question I'm willing to follow up on

[chimmmpie]

I mean the certificate check on the vpn in relation to the linked user certificate.

Currently it's more a UI thing as it is not enforced i think. Is the intention to still make it possible to manually(/api) connect a user to any certificate and enforce this relationship on openvpn auth?

[franco]

What I'm trying to get at is the benefit feature wise. We already theorised a bit what this could mean:

1. Client certificates cannot be reused in the config exporter?
2. Administrator is missing "trust" in the system even though OpenVPN will obviously allow to connect using a valid certificate.
3. The administrator would like to enforce CN, which would make sense given that if CN is the same or arbitrary it's harder to revoke a specific connection (and if you have all on the same CN you always disconnect all users).
4. Group CN support in order to match a CN of a certificate to a group and associate users with this group to connect (also fixes #1).


Cheers,
Franco

[Patrick M. Hausen]

Wild guess:

Administrator wants to limit user X to cert Y, but for an arbitrary cert not matching CN and user name "for reasons".

[franco]

Ok here is my whole point: they can?


Cheers,
Franco

[sjjh]

My current situation here is, that I'm assigning one existing cert to multiple users (not matching CN) for VPN access (like, as a MFA next to a password). (Please let's not discuss if this is a sensible setup, I inherited it and need a working setup now to buy time to design and introduce a better concept for my users, e.g., using individual certs per user.)
@franco if I understood you correctly, this should still be doable. I fail so in the Web UI. Can you please elaborate how I can assign an existing non matching cert to a user?

Thanks for your support!
Simon

[franco]

Again, are we talking about client export or just simple OpenVPN client side? "Strict User/CN Matching" is off by default so any certificate given will do (unless expired or revoked). It can be the same for all clients. Coercing the client exporter to give the arbitrary cert will be much harder (and very likely needs a number of code changes).


Cheers,
Franco

[sjjh]

Sorry for expressing myself not clear enough. And I'm also not sure if I understand your question about "client export vs. simple OpenVPN client side".
I tested a little further and for me it seems to work by:
1. creating a user without adding/assigning any certificate
2. client export within OpenVPN, with the certificate I used to attach to my VPN users.
So there might actually not be a (technical) problem for me right now. And I might just have been confused ("usability problem") by not being able to add the cert to the user anymore and not seeing any users linked anymore to the cert in OpenVPN > Client export. Sry for the noise.