|
|
Ivan "Rambius" Ivanov wrote: > Hello, > > We successfully installed an openvpn server and a couple of openvpn > clients. We are using private keys for authentication. I read the > following in OpenVPN docs [1]: > > "Shouldn't it be possible to set up the PKI without a pre-existing > secure channel? > > The answer is ostensibly yes. In the example above, for the sake of > brevity, we generated all private keys in the same place. With a bit > more effort, we could have done this differently. For example, instead > of generating the client certificate and keys on the server, we could > have had the client generate its own private key locally, and then > submit a Certificate Signing Request (CSR) to the key-signing machine. > In turn, the key-signing machine could have processed the CSR and > returned a signed certificate to the client. This could have been done > without ever requiring that a secret .key file leave the hard drive of > the machine on which it was generated." > > Could you please advise me how to set up such a machine and where I > can find software for a key-signing server? > > Thank you very much in advance. > > Regards > Ivan > > [1] http://openvpn.net/howto.html#pki > http://www.intrusion-lab.net/roca/ Perhaps something like roCA, which is a Knoppix based distro with various bits of software for running a CA, would be suitable. Regards, Gavin ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-09/msg00087.html on line 212 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-09/msg00087.html on line 212 |