Re: [Openvpn-users] what keys/certificates I as a openvpn client need to generate?

Mon, 17 Jun 2024 13:49:32 -0700 



On 17/06/2024 22:33, Mika Laitio wrote:

Hi, this is my first time in this list.


This may be too simple a question, but I did not find a clear answer 
when googling and reading the README.quickstart.md 
<http://README.quickstart.md>. All the examples I found were more 
concentrated for the server side setup.



So I would need to be connected to an openvpn server not hosted by me 
and the owner of the server asked me to send my credentials for the 
server key. At the moment I do not know the name of the server, ca-files 
of it or anything. I believe that once I send my public key, he can then 
generate the configuration file for me that I can use to connect to the 
server. (.opni)



Can I just use openssl to generate a public-private key pair and then 
just send the generated public key for the openvpn server maintainer or 
do I need to use the easyrsa3/easyrsa to generate the keys that openvpn 
can use? If I need/can use the easyrsa3 to do that, are there any 
examples/docs for the commands I need to use?



A certificate needs to be signed by the CA to be accepted in that 
specific PKI.



The server admin most likely manages the CA and thus needs to sign your 
certificate.


There are two ways to achieve this:


1) the admin generates the certificate/private key pair for you and send 
it over along with the config



2) you generate the public/private key pair and then you create a CSR 
(Certificate Signature Request) which you send over to the admin. The 
admin will sign that and thus create your certificate.


Advantage of 1: easy and less steps involved.
Advantage of 2: only you see the private key.


2) is more "correct" in a larger environment, but often people go for 1) 
to keep it easy.



IMHO your admin is asking to follow 2). Thus he wants you to create your 
key pair and a CSR, so that he can then create the certificate for you.



The configuration file (which is a bit orthogonal to this) should still 
be provided by the admin.


I hope it helps.

Regards,


--
Antonio Quartulli


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to