diff options
author | Selva Nair | 2023-01-28 17:34:18 -0500 |
---|---|---|
committer | Gert Doering | 2023-02-14 16:28:13 +0100 |
commit | a8ff15ce49b69816b64387e3387b9a310891d12a (patch) | |
tree | 31b81ac77f1a5e610f379328eaa423a93dfbef7b /doc | |
parent | 5a70f5025a3f1aee53b531b2e7713dd99fa175bb (diff) | |
download | openvpn-a8ff15ce49b69816b64387e3387b9a310891d12a.zip openvpn-a8ff15ce49b69816b64387e3387b9a310891d12a.tar.gz |
Option --cryptoapicert: support issuer name as a selector
- Certificate selection string can now specify a partial
issuer name string as "--cryptoapicert ISSUER:<string>" where
<string> is matched as a substring of the issuer (CA) name in
the certificate.
Partial case-insensitive matching against the "issuer name" is
used. Here "issuer name" is a text representation of the RDN's
separated by commas.
E.g., "CA, Ontario, Toronto, Acme Inc., IT, Acme Root CA".
See MSDN docs on CertFindCertificateInStore() with CERT_FIND_ISSUER_STR
as "FindType" for more details.
As the order of RDN's is not well-defined[*] and type names like "OU"
or "CN" are not included, its best to match against a single attribute
like the CN of the issuer:
E.g., --cryptoapicert "ISSUER:Acme Root"
[*] Windows appears to order RDN's in the reverse order to which
its written in the certificate but do not rely on this.
Signed-off-by: Selva Nair <selva.nair@gmail.com>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <20230128223421.2207802-2-selva.nair@gmail.com>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg26092.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
(cherry picked from commit b9e0e4060798ed88d2170702f2935754616b1200)
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man-sections/windows-options.rst | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/doc/man-sections/windows-options.rst b/doc/man-sections/windows-options.rst index 368f7b1..e87291f 100644 --- a/doc/man-sections/windows-options.rst +++ b/doc/man-sections/windows-options.rst @@ -41,13 +41,22 @@ Windows-Specific Options cryptoapicert "SUBJ:Peter Runestig" - To select a certificate, based on certificate's thumbprint: + To select a certificate, based on certificate's thumbprint (SHA1 hash): :: cryptoapicert "THUMB:f6 49 24 41 01 b4 ..." The thumbprint hex string can easily be copy-and-pasted from the Windows - Certificate Store GUI. + Certificate Store GUI. The embedded spaces in the hex string are optional. + + To select a certificate based on a substring in certificate's + issuer name: + :: + + cryptoapicert "ISSUER:Sample CA" + + The first non-expired certificate found in the user's store or the + machine store that matches the select-string is used. --dhcp-release Ask Windows to release the TAP adapter lease on shutdown. This option |