[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Re: Intermediate Certificate Authority


  • Subject: [Openvpn-users] Re: Intermediate Certificate Authority
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Thu, 20 Jan 2005 10:46:52 -0600

On Thu, 20 Jan 2005 16:09:49 +0000, cldpeak wrote:

> Is it important to OpenVPN security practices to 'BUILD AN INTERMEDIATE
> CERTIFICATE AUTHORITY CERTIFICATE/KEY'?

Unless you know that you need it, you generally don't -- just be very
careful about keeping your CA safe.

Having an intermediate CA allows you to keep your "real" CA locked up with
no network connections whatsoever and the intermediate CA located
somewhere with security levels which, while high, impinge less on getting
work done. Then, in the event that the intermediate CA is compromised, you
can revoke it and create a new one without replacing your real CA.

If you're not going to be following this procedure (real CA locked up w/
no network connections), there's no value-add to having an intermediate
CA.


____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users