Hi, On Wed, Jan 03, 2024 at 01:37:54PM -0500, Joe Patterson wrote: > On Wed, Jan 3, 2024 at 11:24???AM Gert Doering <g...@greenie.muc.de> wrote: > > Ideally, you wouldn't create the keys "on the server" anyway - in a > > secure world, the CA key never leaves a *secure* machine for key generation, > > and you'd create server key(s) and client keys on this machine, copying > > to the target machines as are needed. > > I'd argue that in the *idealest* world, the server and client keys are > created on the server and client, and csr's and certificates get > copied to and from a secure CA. But that's pure nitpicking, and your > point absolutely stands.
I know that this is best practice if the CA itself cannot be trusted
beyond "attest that this key belongs to someone identified by <string>"
(like, a DNS domain). Not sure I can come up with a good attack scenario
in an OpenVPN PKI scenario where the CA would be stopped from doing
something nasty by doing the full .csr dance (because it could still just
create arbitrary .key/.crt on its own, thus getting access to the VPN
server).
So, in an (Open)VPN context, I would assume that trust level for the CA
needs to be "as high as for the VPN server itself, preferrably higher",
not just "a random outside party that signs whatever you give it money
for" :-)
Maybe things are different if intermediate CAs get involved, but I haven't
spent too much thought on such scenarios yet - they tend to make my head
hurt...
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
