I'm creating my own openvpn server.
The Certificate authority is located on a separated host.
There is two kind of clients: which that just send a .csr
and to which i send the .crt
as an answer and the other which I build myself.
In the second case, I create the .key
and .csr
by using:
openssl req -days 3652 -nodes -new -keyout NewClient007.key -out NewClient007.csr
than the signed certificate by:
openssl ca -days 3652 -out NewClient007.crt -in NewClient007.csr
So, from there, I will install both .key
and .crt
to the new client and delete .key
from the CA.
If I rightly understand, the .crt
may be useful if I want to revoke the key, in future (but is copied to Id.pem
, where Id is the index number).
Current status, where ssl files are located:
server:
ca.crt CA's public certificate
server.crt server public certificate
server.key server private key
crl.pem CA signed certificates revocation list
dh1024.pem Diffie-Hellman parameters file
certificate authority:
ca.key CA's private key
ca.crt CA's public certificate
index.txt Index of signed keys
serial number of next entry in index.txt
index.txt.attr attributes for index file
ClientXXXX.crt All clients certificates
ClientXXXX.csr All clients signing requests
YY.pem Copy of clients certificates according to index nr.
clients:
ca.crt CA's public certificate
ClientXXXX.crt The client certificate
ClientXXXX.key The client key
When I build the client key myself, they are immediately shred and deleted once installed in client.
So I think (but not sure) I could quietly delete all ClientXXXX.csr
and ClientXXXX.crt
from CA...
... So there is my question:
could I ever need to access .csr
file again or could I definitively delete them?