0

Have this requirement, where the client cerification generate for a user shouldn't be exported or used from a different device and make a successful vpn connection.

I was following this steps to generate client certificate with easyrsa. However, when exporting the client crt and key, im still able to make a successful vpn connection.

What are the some of the ways to block or restrict the certificate to a specific device.

Read about mac address filtering, not sure if this works on tunnelblick. (https://openvpn.net/vpn-server-resources/access-server-post-auth-script-host-checking/)

       Steps followed to generate a client key pair:

    ./easyrsa gen-req test_client_vpn nopass
    ./easyrsa sign-req client test_client_vpn
amateur
  • 141

1 Answers1

0

There's no way to lock a private key to a single device other than to generate it on that device in such a way that it can never be exported. This is an important part of what security hardware chips such as Trusted Platform Modules, Smart Cards, SIM cards, and YubiKeys (and other U2F / FIDO devices) do.

Microsoft Windows provides ways to generate a "device key" that is not supposed to be exportable from Windows' built in "Certificate Store" ("store" as in a storage-place, not a retail shop), but it's not backed by hardware, so software tools exist that can still let someone with the right level of access and know-how to extract "unexportable" private keys from the cert store.

The advantage of the security hardware modules is that they physically lack the circuitry to export the private keys they generate.

Spiff
  • 110,156