4

I am re-setting up some OpenVPN infrastructure to be more secure than the original and wanted some guidance.

It's noted that the best security policy is to keep the Certificate Authority (CA) offline and separate from the server, but there's not much guidance on how to achieve this.

If I have a CA, server, and client, where do all the keys/certificates (ca.key/crt, server.key/crt, client.key/crt) go?

Also, what is the best practice in the generation of these files? I've read that they should be generated on the server, and the *.csr files can be removed once the certificate is signed.

Community
  • 1
Christopher Kinnee
  • 43
  • 1
  • 3

1 Answers1

3

Like this:

  • CA machine: ca.crt, ca.key
  • Server: ca.crt, server.crt, server.key
  • Clients: client.crt, client.key, ca.crt

Notably, ca.key does NOT go on the server. If the server is compromised, then the attacker won't get ca.key.

With easy-rsa you generate the key and certicate on the CA machine, and send them to the client. Technically you don't need to keep them, although it's a good idea to keep the certificates in case you later need to revoke them. In that case, keep them on the CA machine.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • Thanks for the response. I'm guessing the concept behind the security here is that when creating and signing the keys/certs, the CA injects a special formula in them unique to that CA, so when the server and client are checking each other out, they compare each other to see if that special-something is present in each other's certificates, and they do this by using a copy of ca.crt VPN seems a little like public-key authentication, with its key pairs. I have a private key that I hold, and I give you my public key. You encrypt something with the public and I decrypt it with the private. – Christopher Kinnee Sep 08 '14 at 12:44
  • But in this case, you're saying both pieces of the pair remain on the server/client respectively, and that neither side needs the public certificate of the other (for example the client retaining the server.crt). Can you please explain this, and also explain, since both of them sit on its own machine, why need a pair? You don't mention keeping ca.crt on the client, but when creating Android *.ovpn profiles, I was required to use the client key & crt, plus ca.crt in the file – Christopher Kinnee Sep 08 '14 at 12:46
  • It seems to me by how I think I understand your explanation, that all clients would need a copy of ca.crt to check for the special injection. So in the theoretical world, my server gets compromised in two different scenarios: A) while ca.key resides in a secure, offline location B)while ca.key sites in the same /etc/openvpn/easy-rsa/keys location as the rest of the keys/certs. What happens in each case? I appreciate your assistance. While I understand some of the underlying concepts of VPN, it feels to me a large amount of complexity. – Christopher Kinnee Sep 08 '14 at 12:46
  • @ChristopherKinnee - sorry, client also needs ca.crt, I had omitted that. You're right, this is public key crypto - the .crt files contain a public key and .key files a private key. The difference between scenario A and B is simply that ca.key remains protected in scenario B. Compromise of your VPN server is still a serious issue. BTW, all the OpenVPN deployments I've seen actually use scenario A. – paj28 Sep 08 '14 at 13:19