[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Client-local PKCS#10 CSR generation


  • Subject: Re: [Openvpn-users] Client-local PKCS#10 CSR generation
  • From: "Etienne V. Depasquale" <evdepa@xxxxxxxxxxxxx>
  • Date: Fri, 06 Jul 2007 19:41:41 +0200
  • Importance: Normal

Thanks for the point made regarding separating the VPN server from the CA.

However, I don't see how using a RoCA as a stand-alone CA will help
(admitting that I haven't used it yet!); is there a client part to RoCA that
the end-user can run on his computer to generate the CSR? That's the core
problem. If this is the case, I would have preferred to avoid introducing
the end-user to a second item of software.

Cheers,

Etienne



-----Original Message-----
From: Erich Titl [mailto:erich.titl@xxxxxxxx] 
Sent: 06 July 2007 14:37
To: evdepa@xxxxxxxxxxxxx
Subject: Re: [Openvpn-users] Client-local PKCS#10 CSR generation



Etienne V. Depasquale wrote:
> Good day,
> 
>  
> 
> I’m new to OpenVPN and am still in the process of learning how to use
> it. Can anyone help on this?
> 
>  
> 
> I would like to carry out the following operations using OpenVPN only:
> 
>  
> 
> 1. The end-user creates his PKCS#10 CSR on his client machine (to be
> e-mailed to the VPN administrator for signing)
> 
> 2. The VPN administrator submits the CSR to the OpenVPN CA for signing,
> receiving a certificate in return
> 
> 3. The VPN administrator manually hands the certificate file to the
> end-user, as a means of ID verification
> 

So far so good

>  
> 
>  
> 
> Is it possible to do all the above using OpenVPN only? 

None of the above is an OpenVPN issue, all this is done using openssl
with a bit of script icing around.

As an
> alternative, I could follow the HOWTO procedure at
> http://openvpn.net/howto.html to run the entire process on the OpenVPN
> server + CA but I’d prefer to give the end-users some flexibility in the
> process by allowing them to carry out the generation themselves.

I would strongly discourage you to do this in the OpenVPN server itself,
as the safety of the CA is crucial to your security, thus it should
_never_ reside on the server.

I personally use RoCA, a CD/Flash-stick based CA, which gives you an
easy to use Interface to handle the certificates.

cheers

Erich

No virus found in this incoming message.
Checked by AVG Free Edition. 
Version: 7.5.476 / Virus Database: 269.10.0/886 - Release Date: 04/07/2007
13:40
 

No virus found in this outgoing message.
Checked by AVG Free Edition. 
Version: 7.5.476 / Virus Database: 269.10.0/886 - Release Date: 04/07/2007
13:40
 

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users