EAP-TLS patch for pppd

Setting up a PKI using easy-rsa

• First, copy the files from the easy-rsa package to your working directory

    $ mkdir ~/pptp
    $ cd ~/pptp
    $ cp -a /usr/share/easy-rsa/2.0/* .
  

• Next, modify the vars file to suite your setup. For this tutorial I use

    export EASY_RSA="`pwd`"
    export OPENSSL="openssl"
    export PKCS11TOOL="pkcs11-tool"
    export GREP="grep"
    export KEY_CONFIG=`$EASY_RSA/whichopensslcnf $EASY_RSA`
    export KEY_DIR="$EASY_RSA/keys"
    echo NOTE: If you run ./clean-all, I will be doing a rm -rf on $KEY_DIR
    export PKCS11_MODULE_PATH="dummy"
    export PKCS11_PIN="dummy"
    export KEY_SIZE=2048
    export CA_EXPIRE=3650
    export KEY_EXPIRE=3650
    export KEY_COUNTRY="NL"
    export KEY_PROVINCE="NH"
    export KEY_CITY="Amsterdam"
    export KEY_ORG="Nikhef"
    export KEY_EMAIL=""
    export KEY_OU="CT"
    export KEY_NAME="PPTP"
  

• Load the environment variables and initialize the environment

    $ . ./vars
    NOTE: If you run ./clean-all, I will be doing a rm -rf on /home/janjust/pptp/keys
    $ ./clean-all
  

  NOTE even for a new directory the second step is required, as it sets up some configuration files for OpenSSL.
• Next, build the CA certificate for your PKI:

    $ ./build-ca 
    Generating a 2048 bit RSA private key
    ............................................................................+++
    ....................................................................................................+++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [NL]:
    State or Province Name (full name) [NH]:
    Locality Name (eg, city) [Amsterdam]:
    Organization Name (eg, company) [Nikhef]:
    Organizational Unit Name (eg, section) [CT]:
    Common Name (eg, your name or your server's hostname) [Nikhef CA]:PPTP CA
    Name []:
    Email Address []:
  

• Generate the PPTP server certificate:

    $ ./build-key-server --batch pptp-server
    Generating a 2048 bit RSA private key
    ............................................................+++
    ........+++
    writing new private key to 'pptp-server.key'
    -----
    Using configuration from /home/janjust/pptp/openssl-1.0.0.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'NL'
    stateOrProvinceName   :PRINTABLE:'NH'
    localityName          :PRINTABLE:'Amsterdam'
    organizationName      :PRINTABLE:'Nikhef'
    organizationalUnitName:PRINTABLE:'CT'
    commonName            :PRINTABLE:'pptp-server'
    Certificate is to be certified until Jun 13 10:16:12 2024 GMT (3650 days)
    
    Write out database with 1 new entries
  

  NOTES
  • no password was specified for this server certificate/private keypair. It is possible to use a password protected private key for your pptp + ppp + EAP-TLS server but you will need to specify the password in the options-pptpd-eaptls file in plaintext.
  • the certificate that is generated has an X.509V3 Extended Key Usage property set to

      X509v3 Extended Key Usage: 
        TLS Web Server Authentication
    

• Generate a client certificate with a password (aka passphrase):

    $ ./build-key-pass --batch pptp-client
    Generating a 2048 bit RSA private key
    ...............+++
    .....................................+++
    writing new private key to 'pptp-client.key'
    Enter PEM pass phrase: XXXXX
    Verifying - Enter PEM pass phrase: XXXXX
    -----
    Using configuration from /home/janjust/pptp/openssl-1.0.0.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'NL'
    stateOrProvinceName   :PRINTABLE:'NH'
    localityName          :PRINTABLE:'Amsterdam'
    organizationName      :PRINTABLE:'Nikhef'
    organizationalUnitName:PRINTABLE:'CT'
    commonName            :PRINTABLE:'pptp-client'
    Certificate is to be certified until Jun 13 10:25:43 2024 GMT (3650 days)
  
    Write out database with 1 new entries
    Data Base Updated
  

  NOTE
  • the certificate that is generated has an X.509V3 Extended Key Usage property set to

      X509v3 Extended Key Usage: 
        TLS Web Client Authentication
    

    Most PPTP servers do not require this property, but older version of Microsoft Windows refused to use X.509 certificates for PPTP connections that did not have this property set.
  
  
• You can also generate a PKCS12 based keypair file, which is handier when dealing with Windows clients:

    $ ./build-key-pkcs12 --batch pptp-winclient
    Generating a 2048 bit RSA private key
    ....+++
    ..................................................................+++
    writing new private key to 'pptp-winclient.key'
    -----
    Using configuration from /home/janjust/pptp/openssl-1.0.0.cnf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'NL'
    stateOrProvinceName   :PRINTABLE:'NH'
    localityName          :PRINTABLE:'Amsterdam'
    organizationName      :PRINTABLE:'Nikhef'
    organizationalUnitName:PRINTABLE:'CT'
    commonName            :PRINTABLE:'pptp-winclient'
    Certificate is to be certified until Jun 13 10:30:14 2024 GMT (3650 days)
    
    Write out database with 1 new entries
    Data Base Updated
    Enter Export Password: XXXXX
    Verifying - Enter Export Password: XXXXX
  

Where are the files?

  ~/pptp/keys/ca.crt
  ~/pptp/keys/pptp-server.crt
  ~/pptp/keys/pptp-server.key
  ~/pptp/keys/pptp-client.crt
  ~/pptp/keys/pptp-client.key
  ~/pptp/keys/pptp-winclient.p12