[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] I don't get it: why use a certificate?

  • Subject: Re: [Openvpn-users] I don't get it: why use a certificate?
  • From: Josh Cepek <josh.cepek@xxxxxxx>
  • Date: Mon, 25 Jun 2007 00:19:36 -0500
  • Openpgp: id=2E5A5127
  • Z-usanet-msgid: XID786LFyFTQ0164X36

Todd and Margo Chester wrote:
> Hi All,
> I am reading
>     http://openvpn.net/howto.html#pki
> on how to set up a certificate.  I am
> failing to see how a certificate is
> superior to just using a secret key.
> For instance, if a laptop gets stolen,
> don't the bad guys have everything they
> need to use the tunnel regardless if
> you are using a certificate or a key?
Not if you use a certificate-based setup and encrypt the private key. 
If the private key is unencrypted or a static-key is used, an attacker
who has physical possession of the media can impersonate the legitimate
user and connect to the VPN.  However, if a passphrase is used to secure
the private key component to a PKI setup, the would-be attacker will
need to guess the passphrase before an attack can be launched.  Assuming
the stolen laptop gets reported to the administrator of the PKI, the
client's certificate can be revoked which prevents the key from being
used (such as if an attacker spend enough time brute-forcing the key's
passphrase and managed to crack it.)
> The section on starting and testing the
> tunnel
>     http://openvpn.net/howto.html#start
> shows no sign of any prompts for passwords.
> If you have the laptop, you have the farm.
> I don't get it.  Can some kind person
> straighten me out?
The how-to on the site provides a very limited description of the PKI in
order to get to a working setup quickly; the examples do not include any
form of private key encryption or a description of doing the key
generation and signing on different machines.  If you want to use the
provide easy-rsa scripts to generate a password protected private key,
you can use the syntax `./build-key-pass client1` in place of the
'build-key' script; the 'build-key-pass' script will prompt for a
passphrase which will be used to encrypted the private key.  This
passphrase must be entered each time the VPN client connects as it is
required to gain access to the private key.

If you want to learn more about what is actually happening when you
invoke the scripts in the easy-rsa directory I'd encourage you to open
up the scripts and take a look at what openssl commands and options are
called.  Personally, I don't use the easy-rsa scripts because I want
more control over the process.  However, invoking openssl directly
requires an understanding of that application, and the easy-rsa scripts
provide a way to generate a PKI without needing as much prerequisite
knowledge.  Also, the OpenSSL documentation at http://openssl.org/ can
be a good resource with respect to the openssl commands.


Attachment: signature.asc
Description: OpenPGP digital signature