Hello,
I am a non English native and just a newbie, the opposite of an IT expert, and
am totally stuck on this. If any of you can kindly give any advice on my stupid
or basic questions I would indeed greatly, greatly appreciate your help:
Some while ago, for the first time in my life I (installed servers and) created
certificates/keys, in order to use Openvpn on my stuffs. I successfully created
those but then I felt I needed to figure out much more about other parts of
server security, so I couldn't use those immediately but just leave those alone.
What I've done was,
- I wanted to use Openvpn on my work and all other stuffs (I'm not an expert; I
just wanted to learn and do the basic things, if I can.).
- After reading some documents I understood/thought I should have "server" in
order to use Openvpn. (Until then, I only have Microsoft Windows (not server)
and virtual machine guest Windows (not server) on it.)
- So I installed some Linux "server(s)" as guest os(es), for the first time in
my life.
here what I actually did was: 1. installed A server, 2. following the
instructions on the Openvpn website etc, completed the steps issuing cerficates
(CA, server, client) using easy-rsa, 3. installed B server as another guest os,
2. completed the issueing certificates (CA, server, client) steps.
- But I felt I should learn and configure the rest part of server security in
order to actually start using the system(s), so I couldn't go further at that
time; so I just quit going further and had to leave those alone, without doing
anything on it.
- disconnected the internet connections from those guest OSes.
And then i've been worried about the certificates and keys that were properly
issued at that time, I believe. I don't know what I have to be worried about
actually and even if I really have to be worried about any things regarding it
or not.
At that time I created the certificates mainly for the use of all my
basic(?)/initial(?) system, so the CAs, servers, and clients cerfiticates were
only created and as far as I remember I didn't send these to others or share
with any.
But I'm worried as I hear server can be hacked very quickly after created...
Haven't deleted/couldn't delete those two servers because I don't know if it
will be needed, if the certificates and keys need to be revoked....
I wonder, do I have to revoke all the cerfiticates and keys, including CA
itself? Do I revoke the CAs using the same CAs?
(And actually I had a window os, not server, too before installing those two
servers, in which I also issued some certs and keys to use Openvpn (until then
I didn't think about the need of "server" for using Openvpn), but then I just
completely deleted the window device itself without making any revocation or
whatsoever.. so currently I don't even have that system... Can I still even
revoke those certificates and keys issued on the deleted device? how?...)
I now really need to proceed with my stuffs but I'm still stuck on it.
I don't know what should I do to delete any risk/danger remaining, if any. Or
can I simply delete these two servers) without revoking(?) any or whatsoever,
without anything to worry about?
Is a certificate supposed to certify a device (either CA, server or client)? So
therefore don't I have to be even worried about the certs and keys if I no
longer use the device itself (or if I delete the device itself)? What is the
bottom line for compromised etc certificates/keys (maybe in security
perspective or whatsoever...)?
I look forward to hearing from you.
Thank you very much for your time and your help indeed!
Best regards,
Kim
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
