[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: Intermediate Certificate Authority

  • Subject: [Openvpn-users] Re: Intermediate Certificate Authority
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Thu, 20 Jan 2005 10:46:52 -0600

On Thu, 20 Jan 2005 16:09:49 +0000, cldpeak wrote:

> Is it important to OpenVPN security practices to 'BUILD AN INTERMEDIATE

Unless you know that you need it, you generally don't -- just be very
careful about keeping your CA safe.

Having an intermediate CA allows you to keep your "real" CA locked up with
no network connections whatsoever and the intermediate CA located
somewhere with security levels which, while high, impinge less on getting
work done. Then, in the event that the intermediate CA is compromised, you
can revoke it and create a new one without replacing your real CA.

If you're not going to be following this procedure (real CA locked up w/
no network connections), there's no value-add to having an intermediate

Openvpn-users mailing list