|
|
Ivan "Rambius" Ivanov wrote: > Hello, > > We successfully installed an openvpn server and a couple of openvpn > clients. We are using private keys for authentication. I read the > following in OpenVPN docs [1]: > > "Shouldn't it be possible to set up the PKI without a pre-existing > secure channel? > > The answer is ostensibly yes. In the example above, for the sake of > brevity, we generated all private keys in the same place. With a bit > more effort, we could have done this differently. For example, instead > of generating the client certificate and keys on the server, we could > have had the client generate its own private key locally, and then > submit a Certificate Signing Request (CSR) to the key-signing machine. > In turn, the key-signing machine could have processed the CSR and > returned a signed certificate to the client. This could have been done > without ever requiring that a secret .key file leave the hard drive of > the machine on which it was generated." > > Could you please advise me how to set up such a machine and where I > can find software for a key-signing server? > > Thank you very much in advance. > > Regards > Ivan > > [1] http://openvpn.net/howto.html#pki > http://www.intrusion-lab.net/roca/ Perhaps something like roCA, which is a Knoppix based distro with various bits of software for running a CA, would be suitable. Regards, Gavin ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |