On Tue, 2014-04-15 at 10:34 -0500, Kevin Boatswain wrote: > Hello all, > I am in the process of switching out all of the certificate on my home > pfsense box. > In the past I have used a real CA for the web-interface and an PFSense > Internal CA for the OpenVPN Config. > Any of you that use PFSense in Corporate Environments do you use a > real CA for OpenVPN or are many of you still using the Internal CA for > OpenVPN Traffic?
IMNSHO an internal CA is always preferable to a commercial one for real security - assuming it is set up correctly. Ideally you have a root CA that never sees a network and is a bare bones system that only creates intermediate CAs and nothing else and is usually stored shutdown and cloned offsite. You transfer the newly minted intermediate CA's cert out by hand (I allow myself to use a USB drive that has been newly formatted - you can go too far!) My PFs gets an intermediate CA from the root and at least I know that is unlikely to be the weakest link and the intermediates can be revoked and a CRL generated by root to that effect. I also shuffle access to the web interface to another port and only ever allow access to it from particular IPs - never open to the world at large. Its only a small amount of extra fiddling but closes off a reasonably large number of potential problems, including as it turns out working towards mitigating some of the fallout from Heartbleed: My root CA has never seen the internet. I don't for a minute believe that I can keep the 5is out or any other well funded state agency or a sufficiently well motivated cracker but I'm buggered if script kiddies will get past me. Cheers Jon Blueloop Ltd Jon Gerdes | Senior Consultant Blueloop House Ilchester Road Yeovil Somerset BA21 3AA Tel: 01460271055 Web: www.blueloop.net Registered Address : Blueloop House, Ilchester Road, YEOVIL, BA21 3AA Registered England & Wales - 3981322 CONFIDENTIAL INFORMATION This e-mail and any files attached with it are confidential and for the sole use of the intended recipient(s). If you are not the intended recipient(s) you are prohibited from using, copying or distributing this or any information contained in it and should immediately notify the sender and delete the message from your system. Internet communications are not secure and Blueloop Limited is not responsible for unauthorised use by third parties nor for alteration or corruption in transmission. Furthermore, while Blueloop Limited have taken reasonable precautions to minimise the risk of software viruses, it cannot accept liability for any damage which you may suffer as a result of such viruses, and we therefore recommend you carry out your own virus checks on receipt of any e-mail. _______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
