> Hello all, > > I'm confusing with TLS Mode Options. > > in Man Page: > --cert file Peer's signed certificate in .pem > --key file My private key in .pem > but in Example 3: > openvpn ... --cert client.crt --key client.key ... > openvpn ... --cert server.crt --key server.key ... > > OpenVPN 1.2.1 works fine with the example, > but I don't know which is appropriate description for SSL security. > Which is right? > > Thanks in advance, > > TANABE Hiroyasu
That's a good point and deserves clarification. --cert and --key should point to the local machine's certificate and key. So the man page should read something like: --cert file Local signed certificate in .pem --key file Local private key in .pem Basically each computer that runs OpenVPN should have it's own certificate/key pair, signed by the root certificate which is specified in --ca. When 2 OpenVPN peers connect, each presents its local certificate to the other. Each peer will then check that its partner peer presented a certificate which was signed by the master --ca certificate. If that check succeeds, then the TLS negotiation will succeed, both OpenVPN peers will exchange temporary session keys, and the tunnel will begin passing data. James
