|
|
Tony wrote: > I think of implementing the hierarchy into the PKI: one root CA would > create some second-level RAs that would issue their certs specifically > either for WiFi or OpenVPN. I aim to achieve an "isolation" between > OpenVPN and WiFi certificate owners. Personally, I wouldn't bother -- there's no reason to use a hierarchy as opposed to two completely separate CAs in this case. In the alternate, you can grant certificates from a single CA with common names which indicate their use (ie. clientname.wireless.vpn.yourcompany.com vs clientname.external.vpn.yourcompany.com), and use a tls-verify script on each server to make sure that the CNs match the appropriate pattern. [I like common names in this form, because you can rig up DNS to mirror it (have a zone wireless.vpn.yourcompany.com and another external.vpn.yourcompany.com, and have entries in those zones updated by your learn-address scripts) -- but that's strictly personal taste]. A hierarchy is useful in the case where you want to delegate some portion of your certificate-granting power to a system which is more easily compromised than your root CA, such that you can disavow trust for that machine after the fact without having to throw away your entire root CA (or any other intermediate CAs); I'm not sure that it's really a good fit for the problem you're having right now. ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-11/msg00094.html on line 197 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-11/msg00094.html on line 197 |