Back to configuration

Extended usage of the CA and keys

The button "Generate Root/Host certificates"

leads you to the section where you can generate all necessary certificates (certification authority) but also all required keys to operate an OpenVPN. To get going generating the PKI, some specific data must be still given.

The Diffie-Hellman Parameter

Note!
As of Core 123 creating Diffie-Hellman keys with length of 1024 bits is no longer possible because they are considered insecure and not supported by OpenVPN. There are warnings about this and other cryptographic issues on the web user interface

It is possible to configure the Diffie-Hellman parameter length with 2048, 3072 and 4096 bits.

Note!
Generating Diffie-Hellman parameters can take up long time, particularly 3072 and 4096 bits can take a least several hours.
  • In case that weak systems or systems with little entropy should use big DH lengths, it is recommended to generate them on other systems and which can be integrated into IPFire over the upload function.
  • By the usage of big DH lengths, the connection buildup but also the generation of the session key (every 3600 sec.) can take perceptibly more time.
  • By the usage of virtual machines without HWRNG this behavior can take again once more time. In a possibly given situation that many different sources access the entropy pool (e.g. several IPSec connections, Tor, SSH...) connection interrupts can appears. The usage of an PRNG or even better a HWRNG can help to prevent this kind of problems.

In case all has been done correctly, the browser jumps to the default OpenVPN page again and shows all new generated certificates and keys over the "Certificate Authorities and -Keys" chart.

Since Core 79 a new OpenVPN directive which calls --tls-auth is available. The required 2048 bit key will be generated while the build of the PKI, but also the activation of this option over the web interface will generate this key if not present.

Upload PKCS#12 file

IPFire can also be configured as a client, therefor a PKCS#12 file (optionally saved with an password) can be uploaded.

The server operation are disabled in that way cause beneath others, the index.txt or e.g. Diffie-Hellman key won't be generated. Likewise an appropriate configuration file needs to be integrated manually for the from now on working IPFire client.

Note!
With Core 79 the RSA key bit lengths but also the Signature Algorithms of all certificates and keys has been changed. The Root certificate operates on >= Core 79 with a key length of 4096 bit and a SHA2 signature algorithm with 512 bit, the host certificate with 2048 bit and also a SHA2 signature algorithm but here with 256 bit (same with the CRL) while a new generation. The RSA key for the control channel has been enlarged to 2048 bit. To use this improvements it is important to generate the whole PKI again with >= Core 79

Extended usage of the CA and keys

Back to configuration