[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] build-key-pass confusion

  • Subject: Re: [Openvpn-users] build-key-pass confusion
  • From: "Dave" <dev@xxxxxxxxxxxxxx>
  • Date: Tue, 26 Jun 2007 18:50:27 -0500
  • Importance: Normal

Title: Message
Interesting, it definitely does work for me, and I'm using the stock openvpngui build.  Pretty much, as soon an you try to connect a simple dialog box pops up asking for the passphrase.  I use this on a daily basis.
Regarding smartcards, the existing openvpngui does not present a dialog for that.  I sent a patch to Mathias back last Jan for that, but it has not made it into a build.  It works pretty much the same way though....  If anyone is intersted I can make a diff and publish it somewhere on the web; it's pretty simple.
Technicality:  the passphrase is actually on the key, not on the cert.  (the cert is public info).  Also, when storing a key on a token, the passphrase is gone because this is a write-only operation:  i.e. you can't pull the key back off the token (at least with the tokens I have used).  The encryption/signing occurs in the token device itself, and therein lies the security:  it's not like a floppy disk with your keys and certs.
-----Original Message-----
From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Michael D. Berger
Sent: Tuesday, June 26, 2007 12:53 PM
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] build-key-pass confusion

Great idea if it worked! I tried it with my WinXP
laptop and it never asked me for a password.
Michael D. Berger
-----Original Message-----
From: openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx [mailto:openvpn-users-bounces@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Mister T
Sent: Tuesday, June 26, 2007 10:26 AM
To: Todd and Margo Chester
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] build-key-pass confusion


You can protect your certificate with a password. You can choose the password yourself but if you want to use OpenVPN GUI it is best to use a numerical one with maximum 8 digits.

This password will be asked each timeyou setup an opevpn tunnel.

It is a good idea to use password protected certificates if you store them on your client machine (not advisable).

If you plan to store you certificates on a SmartCard, I would not use this option as the SmartCard is allready protected by a PIN (password) and 2 PINs is too much.


2007/6/25, Todd and Margo Chester <ToddAndMargo@xxxxxxxxxxx>:
Hi All,

I am confused.  I am reading how to set
up a certificate:


If states:

    If you would like to password-protect
    your client keys, substitute the
    build-key-pass script.

Okay.  What password?  Where is it used?
Where is the rest of the explanation?
Why would I want to use it?

Would some kind person please educate me?

Many thanks,

This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
Openvpn-users mailing list