Changes between Version 8 and Version 9 of EasyRSA3-OpenVPN-Howto
- Timestamp:
- 12/01/13 10:37:53 (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
EasyRSA3-OpenVPN-Howto
v8 v9 7 7 The best way to create a PKI for OpenVPN is to separate your CA duty from each server & client. The CA should ideally be on a secure environment (whatever that means to you.) Loss/theft of the CA key destroys the security of the entire PKI. 8 8 9 == Separate CA system procedure == 9 To use Easy-RSA to set up a new OpenVPN PKI, you will: 10 11 1. Set up a CA PKI and build a root CA 12 13 2. Configure secondary PKI environments on your server and each client and generate a keypair & request on them 14 15 3. Send the certificate requests to the CA, where the CA signs and returns a valid certificate 16 17 4. On your OpenVPN server, generate DH parameters (see the DH Generation section of this Howto) 18 19 == PKI procedure: using a separate CA system == 10 20 11 21 Pick locations for the CA and each entity that will be assigned certs. All keypair/request generation should occur on the target system that will use them; put another way, generate your client & server requests/keys on each system for best security. … … 51 61 52 62 6. The CA returns the signed certificate, and includes the CA certificate unless the client already has it. This can be done over an insecure channel, though the client is encouraged to confirm the received CA cert is valid if the transport is untrusted. 63 64 == DH Generation == 65 66 On the PKI for the OpenVPN server, this command will generate DH parameters used during the TLS handshake with connecting clients. The DH params are not security sensitive. 67 68 {{{ 69 ./easyrsa gen-dh 70 }}}