Thanks for confirming. I agree that (2) feels more correct as I would never trust the keys where someone other to have access to password protected asymmetric private keys. But what information I will need from the server side to generate the keys. Unless there are restrictions in algorithm used or key length?
Mika On Mon, Jun 17, 2024 at 1:47 PM Antonio Quartulli <a...@unstable.cc> wrote: > > > On 17/06/2024 22:33, Mika Laitio wrote: > > Hi, this is my first time in this list. > > > > This may be too simple a question, but I did not find a clear answer > > when googling and reading the README.quickstart.md > > <http://README.quickstart.md>. All the examples I found were more > > concentrated for the server side setup. > > > > So I would need to be connected to an openvpn server not hosted by me > > and the owner of the server asked me to send my credentials for the > > server key. At the moment I do not know the name of the server, ca-files > > of it or anything. I believe that once I send my public key, he can then > > generate the configuration file for me that I can use to connect to the > > server. (.opni) > > > > Can I just use openssl to generate a public-private key pair and then > > just send the generated public key for the openvpn server maintainer or > > do I need to use the easyrsa3/easyrsa to generate the keys that openvpn > > can use? If I need/can use the easyrsa3 to do that, are there any > > examples/docs for the commands I need to use? > > A certificate needs to be signed by the CA to be accepted in that > specific PKI. > > The server admin most likely manages the CA and thus needs to sign your > certificate. > > There are two ways to achieve this: > > 1) the admin generates the certificate/private key pair for you and send > it over along with the config > > 2) you generate the public/private key pair and then you create a CSR > (Certificate Signature Request) which you send over to the admin. The > admin will sign that and thus create your certificate. > > Advantage of 1: easy and less steps involved. > Advantage of 2: only you see the private key. > > 2) is more "correct" in a larger environment, but often people go for 1) > to keep it easy. > > IMHO your admin is asking to follow 2). Thus he wants you to create your > key pair and a CSR, so that he can then create the certificate for you. > > The configuration file (which is a bit orthogonal to this) should still > be provided by the admin. > > I hope it helps. > > Regards, > > > -- > Antonio Quartulli >
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
