|
|
Since secure certificate management implies that the user generates a
key and CSR independently, the user can choose not to encrypt that
certificate at generation time. Further, even if the private key is
generated by a "trusted" third party and provided to the user (bad! --
means the private key touched someone else's equipment, had to be moved
between machines, all of these creating points of vulnerability) with an
encrypted password already present (also bad -- means that password had
to be known by someone other than the user at some point), the user has
the ability to reencrypt the certificate with a different password at
some point in the future, so you *can't* know that the certificate is
encrypted.
With auth-user-pass, circumventing the password prompt is significantly
harder -- the "easiest" way requires a recompiled OpenVPN client -- and
there are server-side measures which can be taken to ensure that users'
passwords are strong and frequently rotated (which a purely client-side
password used to encrypt a key will almost never be).
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|