Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » VPN Certificate [Kerio VPN Client] (How to change Kerio VPN-Server certificate in persistent mode?)
  •  
fb_luc

Messages: 3
Karma: 0
Send a private message to this user
Hello,

is there a option, to accept a new certificate from server if i use permanent/persistent connection without the user have to accept something?

Or how do you mange it, to change a VPN Server certificate and your whole company have to contact you to accept the new certificate. (We have to reconnect and maybe reenter the credentials of the user).

Thank you in advance


./fa/4470/0/

  •  
Brian Carmichael (Kerio)

Messages: 559
Karma: 55
Send a private message to this user
You should use CA signed certificates so that the user does not have to accept any certificate. I recommend startssl as they offer free SSL signing and they are a trusted authority.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
fb_luc

Messages: 3
Karma: 0
Send a private message to this user
Thank you for your answer.

We use a certificate from StartSSL, but if i change it at Kerio Control (VPN Server) the Kerio VPN Client gets an error, because the fingerprint has been changed.

If we want to accept the new certificate we have to disconnect the persistent connection and connect again. And some employees cannot do that, because they have no Admin-rights.

I already tried to edit the fingerprint in C:\Program Files (x86)\Kerio\VPN Client\persistent.cfg
That worked. But we can't edit it for every Employee or any Laptop.


I hope, there is another option, to handle this.


Thank you in advance

[Updated on: Thu, 20 October 2016 08:52]

  •  
Brian Carmichael (Kerio)

Messages: 559
Karma: 55
Send a private message to this user
I will try to get confirmation but I would not imagine that the user should be prompted if the certificate is valid and signed by a CA. Make sure that the users are configured to connect to the hostname provided on the certificate and that you have installed the intermediate certificate on the server. You can check your server's certificate using https://www.htbridge.com/ssl/ as their checker allows you to specify the VPN port of 4090.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
fb_luc

Messages: 3
Karma: 0
Send a private message to this user
Thank you for your answer.

First the Kerio VPN Client checks the Fingerprint of the certificate and each certificate has its own fingerprint

We're running VPN Client in persistent mode.

Here a snippet from the debug.log

[21/Oct/2016 12:29:35] {engine} CheckCertificate - remote endpoint's certificate fingerprint does not match.



As mentioned in the last post, we use CA-signed certificates

It looks like in user mode the VPN Client new valid certificated without prompting and in persistent mode it doesn't.

If we disconnect manually the persistent connection and connect it again the new certificate will be accepted without prompting.

Manually reconnect of persistent connections is only allowed to administrators. Normal users doesn't have these rights.


Thank you in advance

[Updated on: Fri, 21 October 2016 16:20]

  •  
Brian Carmichael (Kerio)

Messages: 559
Karma: 55
Send a private message to this user
Normally the user should not receive any notification if the new certificate is valid, however it seems the product is not behaving this way. I have filed a bug report.

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
Previous Topic: Problem with DHCP
Next Topic: System Fault
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Dec 11 14:45:40 CET 2016

Total time taken to generate the page: 0.00480 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.