0

I setup an IKE VPN server for road warriors. I actually have this working (YAY!) but took some shortcuts that are leaving me with a working yet not-right/secure setup. My setup is as follows:

My server (DNS name vpn.mydomain.com) contains certs for:

  1. "mydomain CA" (certificate authority), LT, since i run my own CA
  2. "vpn-client-group-1", KT, this is the cert the client is connecting with (with Key on this end)
  3. "vpn.mydomain.com", KT, this cert has Alt name DNS:vpn.mydomain.com (and includes key)

My client contains certs for:

  1. "mydomain CA" (certificate authority), LT, since i run my own CA
  2. "vpn-client-group-1", KT, for connecting (with key on this end)

There are too many private keys above. Can someone tell me which certs, on which end, actually need the private key? Do I even need the vpn-client-group-1 cert on the server? (why)

TSG
  • 159
  • 1
  • 7

1 Answers1

0

Can someone tell me which certs, on which end, actually need the private key?

Private keys are only required by the hosts that actually authenticate/sign using a particular certificate. So on the server you need the private key for vpn.mydomain.com and on the client the one for vpn-client-group-1.

And just to clarify, the private key for the CA is not required on any of the hosts (you only need that to issue new certificates, which you better do offline).

Do I even need the vpn-client-group-1 cert on the server?

If it's issued by your own CA and the client sends it during authentication, then no. If it's self-signed or the client doesn't send it, you'll need it (or the raw public key) to verify the client's signature.

ecdsa
  • 1,354
  • 7
  • 10