Hopefully this clarifies things:
- the default output format of OpenSSL is PEM-encoded ; openssl uses
the default extension .pem
- the OpenVPN .crt and .key files are ALSO PEM-encoded by default, but
they've just been named differently by the easy-rsa tools to ensure
that the files can be easily loaded on Windows
- FTR: nearly all webservers I have ever seen are configured to use a
hostcert.pem and hostkey.pem and my guess is that there are (still)
more Linux-based webservers out there than OpenVPN clients and servers.
Having said that, I do agree that after using .crt/.key files left and
right (to accomodate Windows users) for over 15 years, it does seem
confusing to start using files named .pem for peer-fingerprinting all
of sudden. On the other hand, with peer-fingerprinting you don't
*HAVE* a .crt file (at least, you don't need one, technically) but
only a .key file. So choosing a different extension for
peer-fingerprinting does have its merits.
I am used a lot more used to calling these files pem files. I suggest we
put that just on the agenda for the next openvpn-meeting, if people have
strong preferences there.
And no, you still need cert and key like for a normal TLS connection
with peer-fingerprint. It *only* replacing the normal check of the
certificate with a fingerprint. Basically the same principle that
browsers do when you do cert-pinning.
Arne
_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel