Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » VPN Certificate [Kerio VPN Client] (How to change Kerio VPN-Server certificate in persistent mode?)
  •  
fb_luc

Messages: 5
Karma: 0
Send a private message to this user
Hello,

is there a option, to accept a new certificate from server if i use permanent/persistent connection without the user have to accept something?

Or how do you mange it, to change a VPN Server certificate and your whole company have to contact you to accept the new certificate. (We have to reconnect and maybe reenter the credentials of the user).

Thank you in advance


./fa/4470/0/

  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
You should use CA signed certificates so that the user does not have to accept any certificate. I recommend startssl as they offer free SSL signing and they are a trusted authority.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
fb_luc

Messages: 5
Karma: 0
Send a private message to this user
Thank you for your answer.

We use a certificate from StartSSL, but if i change it at Kerio Control (VPN Server) the Kerio VPN Client gets an error, because the fingerprint has been changed.

If we want to accept the new certificate we have to disconnect the persistent connection and connect again. And some employees cannot do that, because they have no Admin-rights.

I already tried to edit the fingerprint in C:\Program Files (x86)\Kerio\VPN Client\persistent.cfg
That worked. But we can't edit it for every Employee or any Laptop.


I hope, there is another option, to handle this.


Thank you in advance

[Updated on: Thu, 20 October 2016 08:52]

  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
I will try to get confirmation but I would not imagine that the user should be prompted if the certificate is valid and signed by a CA. Make sure that the users are configured to connect to the hostname provided on the certificate and that you have installed the intermediate certificate on the server. You can check your server's certificate using https://www.htbridge.com/ssl/ as their checker allows you to specify the VPN port of 4090.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
fb_luc

Messages: 5
Karma: 0
Send a private message to this user
Thank you for your answer.

First the Kerio VPN Client checks the Fingerprint of the certificate and each certificate has its own fingerprint

We're running VPN Client in persistent mode.

Here a snippet from the debug.log

[21/Oct/2016 12:29:35] {engine} CheckCertificate - remote endpoint's certificate fingerprint does not match.



As mentioned in the last post, we use CA-signed certificates

It looks like in user mode the VPN Client new valid certificated without prompting and in persistent mode it doesn't.

If we disconnect manually the persistent connection and connect it again the new certificate will be accepted without prompting.

Manually reconnect of persistent connections is only allowed to administrators. Normal users doesn't have these rights.


Thank you in advance

[Updated on: Fri, 21 October 2016 16:20]

  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
Normally the user should not receive any notification if the new certificate is valid, however it seems the product is not behaving this way. I have filed a bug report.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
fb_luc

Messages: 5
Karma: 0
Send a private message to this user
Hello,

i read that the Bug is fixed.


Version 9.2.1

+ Geoip filtering - added possibility to block incoming connection based on country of origin
* Significant performance improvements
* x86-64 architecture - 64-bit CPU is now supported
* IPsec VPN tunnel ciphers can be configured in administration
* Login guessing protection is now enabled by default
* Changed closed/reset connection timeout
- Samepage.io backup option removed
- Fixed: VPN client prompts user to accept valid certificate
- Fixed: VPN client DNS issues when 2-Step verification was enabled but not performed


I have checked it, but with our certificate it doesn't work. There is the same error before the update. Do you know what for CA's are trusted? Maybe there is a list.

[Updated on: Mon, 30 January 2017 09:53]

Previous Topic: Kerio Control and AD DS
Next Topic: KC DNS problems with android 7.1.1
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Mar 26 13:01:32 CEST 2017

Total time taken to generate the page: 0.01102 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.