Re: [Openvpn-users] Migrating OpenVPN server - easyrsa question...

Sat, 05 Apr 2025 10:09:44 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Bo,

cutting to the chase ..

A brief lesson in the essence of X509.

Using Easy-RSA PKI means that all certificates MUST
be signed using the CA Private Key.

Thus, to sign a "foreign request", that which has come
from an unknown source (eg: client), use these commands:

    `import-req ~/Downloads/bob.req bob`
    `sign-req client bob`

This will sign a request from a foreign source.

----

To create a foreign request on the CA machine, try Easy-RSA
option --pki=testpki with commands `init-pki` and `gen-req`.

----

When all Private keys and Public certificates are built
on the CA signing machine (eg: The designated CA) then
use commands:

    `build-server-full server1`
    `build-client-full client1`

These will create the Private key, which MUST then be
distributed securely. And the Public certificate, which
can be shared openly. Easy-RSA will also create an
inline file for OpenVPN use but be aware of the security
aspect outlined above. Easy-RSA places the inline files
into either the pki/inline or pki/inline/private folders.

Commands `build-x-full` are simply commands `gen-req` and
`sign-req` chained together, for easy use on the designated CA.

----

Perhaps the most significant point to make is:
The Private key of the foreign entity remains private,
if the foreign entity generated the Private key for itself.


Regards



Sent with Proton Mail secure email.

-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsC5BAEBCgBtBYJn2aaHCZBPl5z2a5C4nUUUAAAAAAAcACBzYWx0QG5vdGF0
aW9ucy5vcGVucGdwanMub3Jnfn6q7y4sOu1OL2hB8PmhZFlM7MRYVPQS/PG5
JPMA7FwWIQQJvD1EZ6ONcnnFVVVPl5z2a5C4nQAACYsIAMOeJC06rBKz2oUv
Mqw7pPTtOVpKv7i0WPuCYgjyv1CeabnJjsaPSXpAuWJeMV/TDZgJwggbGUbm
xDqS49IC4CPxq8d/wZert0BDoccDBm4+8k8+XfXnTTgF1XoEJHtYSUYsC71l
b3UvM9b1nupm5X2GwHVFQO2NJAQvYNI0DuruK0Xho7s2uPXAgklsarE4zatj
EyKWK90h3ZFGnRG1G23n2p0TCi0fllzeFqb3VdAJgQx23oE5NVW5WLvjz76g
bTCewR8aWzC4A1AmXlpC1fosrREYInPeFS26nDZ2FygR0y/zhNusnKOwGrwj
nvHNApZ4YDR1QOHX916vg5m07T0=
=1r2j
-----END PGP SIGNATURE-----

Attachment: publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys

Attachment: publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users






















					Reply via email to