Private method for getting a PKCS#11 certificate
In this recipe we will configure OpenVPN to use a private certificate on a hardware token. Normally, the certificates which are stored on a hardware token are publicly accessible, as a certificate is 'public' anyways. Some tokens allow the user to protect the certificates , so that the token password is always needed to retrieve it. OpenVPN supports this kind of hardware token.
Getting ready
We use the following network layout:
Keep the hardware token from the first recipe at hand. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 12 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf from the Chapter 2 recipe Server-side routing at hand.
How to do it...
First, we store the certificate
client2.crtand corresponding private keyclient2.keyon the token with protection (attributeCKA_PRIVATE) enabled. This is done using the pkcs11-tool command-line option...
