I am re-setting up some OpenVPN infrastructure to be more secure than the original and wanted some guidance.
It's noted that the best security policy is to keep the Certificate Authority (CA) offline and separate from the server, but there's not much guidance on how to achieve this.
If I have a CA, server, and client, where do all the keys/certificates (ca.key/crt, server.key/crt, client.key/crt) go?
Also, what is the best practice in the generation of these files? I've read that they should be generated on the server, and the *.csr files can be removed once the certificate is signed.