On 20/05/21 23:12, tincantech wrote:
[...]
So, why switch to .pem when it has never been used before by openvpn?
If you are all happy to let it go that way then so-be-it,
Hopefully this clarifies things:
- the default output format of OpenSSL is PEM-encoded ; openssl uses the
default extension .pem
- the OpenVPN .crt and .key files are ALSO PEM-encoded by default, but
they've just been named differently by the easy-rsa tools to ensure that
the files can be easily loaded on Windows
- FTR: nearly all webservers I have ever seen are configured to use a
hostcert.pem and hostkey.pem and my guess is that there are (still)
more Linux-based webservers out there than OpenVPN clients and servers.
Having said that, I do agree that after using .crt/.key files left and
right (to accomodate Windows users) for over 15 years, it does seem
confusing to start using files named .pem for peer-fingerprinting all
of sudden. On the other hand, with peer-fingerprinting you don't
HAVE a .crt file (at least, you don't need one, technically) but only
a .key file. So choosing a different extension for peer-fingerprinting
does have its merits.
FTR: Openvpn still exchanges the full certificates in peer-fingerprint mode.
meh ... I guess it was easier to implement it that way at the TLS level...
IMO that does add a "+1" to using .crt/.key extensions - otherwise it
might confuse the heck out of end users (like overwriting the private
key with the public cert etc ... )
How do the examples distinguish between the cert and the private key in
this case then?
JJK
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
