[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Which Directory to run ./vars, .clean-all, ./build-ca?

  • Subject: Re: [Openvpn-users] Which Directory to run ./vars, .clean-all, ./build-ca?
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Wed, 05 Jul 2006 08:19:32 -0500

Erm. One thing -- with regard to your subject line: It's not ./vars, 
it's ". vars", or "source vars".

(You're doing this in /etc/openvpn/easy-rsa, not /etc/openvpn, right?)

Also, it's not really best practice to keep your CA on the same machine 
as your VPN server -- if they're on the same machine, someone who cracks 
your VPN server can build themselves new certificates; otherwise, if 
someone cracks your VPN server you need to rebuild it but don't need to 
disqualify the certs held by the client machines. OpenVPN doesn't need 
access to the CA private key or the client keys to operate, just the 
server's own public and private key pair, the CA certificate and (if you 
have any revoked clients) the certificate revocation list.

OpenVPN mailing lists