Client and server certificates for the eBlocker Mobile feature are
issued by the class OpenVpnCa in version 2.5.1 or later.
Previously, the package easy-rsa was used. The post-install
script of the package eblocker-icapserver imports an
existing CA created by easy-rsa.
Which files does the eBlocker Mobile CA need?
ca.crt: CA certificateca.key: CA private keycrl.pem: revocation list of device certificatesThe CA generates these private keys and certificates:
Which files does the OpenVPN server need?
ca.crt: see abovecrl.pem: see aboveeblocker.crt: server certificateeblocker.key: server private keydh2048.pem: Diffie-Hellman parameters, generated by
OpenSSLta.key: static key for additional protection against
DoS attacks (see option tls-auth). The key is generated by
openvpn.Which files do the clients need (in their configuration)?
ca.crt: see aboveta.key: see abovedevice:MAC.crt: client certificatedevice:MAC.key: client private keyAll these files must be imported from easy-rsa:
ca.crtca.keycrl.pemeblocker.crteblocker.keydh2048.pemta.keydevice:*.crtdevice:*.key/opt/eblocker-icap/keys/mobile: CA writes its keys,
certificates and CRLs here./opt/eblocker-icap/keys/mobile/clients: CA writes
client keys and certificates here. Revoked keys and certificates are
deleted./etc/openvpn: All files that the OpenVPN server
accesses directly are copied/generated here./etc/openvpn/easy-rsa to
/opt/eblocker-icap/keys/mobile. Change owner of files to
icapd./etc/openvpn/easy-rsa to
/opt/eblocker-icap/keys/mobile/clients. Change owner of
files to icapd./etc/openvpn/easy-rsa directory
recursively.The server control script openvpn-server-control has the
following modes:
ta.keyOpenVpnCa to the OpenVPN
configuration directory.