7

Digital Ocean states in one of it's tutorial about OpenVPN server :

While it’s technically possible to use your OpenVPN server or your local machine as your CA, this is not recommended as it opens up your VPN to some security vulnerabilities. Per the official OpenVPN documentation, you should place your CA on a standalone machine that’s dedicated to importing and signing certificate requests.

I couldn't find an explanation from OpenVPN documentation regarding this matter. What are those 'security vulnerabilities' Digital Ocean is talking about ?

Arthur Attout
  • 205
  • 2
  • 5

2 Answers2

7

The OpenVPN documentation being referred to is the Getting started How-To on the OpenVPN Wiki. Specifically, this paragraph:

BEWARE: One common mistake when setting up a new CA is to place all the CA files on the OpenVPN server. DO NOT DO THAT! A CA requires a private key which is used for signing the certificates your clients and servers will use. If you loose control of your CA private key, you can no longer trust any certificates from this CA. Anyone with access to this CA private key can sign new certificates without your knowledge, which then can connect to your OpenVPN server without needing to modify anything on the VPN server. Place your CA files on a storage which can be offline as much as possible, only to be activated when you need to get a new certificate for a client or server.

The concern is that if the CA's private key is ever stolen, the attacker could issue themself valid certificates for your VPN. Those certificates could be used to either fool your client into connecting to a rogue VPN server (letting the attacker spy on or modify your traffic) or fool your server into accepting a connection from an unauthorized client (allowing the attacker to use your VPN).

Keep in mind that if you're only ever planning to run a single VPN server, any attacker who compromises your VPN server will gain the ability to control and monitor any traffic that flows through that server anyway, even if they can't steal your CA's private key. For that reason, you may find storing your CA key as a private root-owned file on your VPN server to be an acceptable risk.

On the other hand, even in that scenario there may be some minor benefits to keeping your CA key on a separate machine:

  1. A compromised VPN server might be easier to detect than a stolen CA certificate
  2. You would be partially protected from attacks that can steal information from your VPN server but not gain control of it
  3. Recovering from a compromised server might be slightly easier, depending on whether or not you find it easier to deploy a CRL to all clients than to deploy a new CA certificate to all clients

It's up to you whether or not you consider those benefits to be worth the possible inconvenience of keeping your CA on a separate machine.

If you're planning to run multiple VPN servers, keeping your CA private key on a separate offline machine is more important, as doing so prevents the compromise of one VPN server from affecting the security of other servers.

Ajedi32
  • 4,637
  • 2
  • 26
  • 60
1

If the CA is facing the Internet and someone can stole the private key of the CA, they can sign certificates that are valid for the VPN authentication. Therefore, the CA should be on a standalone machine, preferably not connected to any network at all.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55