[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] Re: how to trust each other with diff CAs

  • Subject: [Openvpn-users] Re: how to trust each other with diff CAs
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Tue, 15 Mar 2005 19:05:51 -0600

On Wed, 16 Mar 2005 08:23:07 +0800, Gmail wrote:

> openvpn 2.0  on debian 
> If i have two  individual VPN Network, VPN Network Aand VPN Network B.
> A is a full VPN system and has created a CA
> B is also a full VPN system and have its own CA .
> both of them works very well seperately, but a client in A want to connet
> to the server in B.
> how could this work, without the same CA.
> Can openvpn  handel this kind of thing?  can you give me some advice?

Please don't send HTML mail to the list -- it comes out as junk on the
GMANE NNTP mirror.

What are you trying to accomplish here? Generally speaking, the client in
A isn't *supposed* to be able to connect to the server B -- if it could,
then individual C (who made their own CA) could connect to networks A and
B, and that would be a Bad Thing -- and if someone wants to be a client on
both network A and network B, they can simply have separate certificates
for each connection.

That said, the PEM file specified with "--ca" can specify multiple
certificate authorities. If you want a client to authenticate a different
server using a different CA, or a server to authenticate clients with
certificates signed by an alternate CA, you can have the CA files on both
of these systems contain certificates for both authorities they're
supposed to accept.

Openvpn-users mailing list