[ILUG] openvpn best practice and revoking
Gavin McCullagh
gmccullagh at gmail.com
Mon Sep 12 11:31:50 IST 2011
Hi,
I'm experimenting a little with openvpn. I guess I want to verify that my
understanding is correct now and see what people tend to do.
It seems that the basic authentication process is:
- create a CA
- create a key pair for each user, sign it with the CA and distribute the
private key to them
- openvpn checks if the connecting key is signed by our CA.
- openvpn (optionally) checks if the connecting key is not listed as a
revoked key
- some optional additional authentication may take place
I had initially assumed that the public key needed to be on the server to
verify the private key, but it seems like that's not important -- instead
the key being signed is what's important. I had initially imagined that by
deleting the public key off the server, you could disable the private key.
Instead, you revoke the key and a list of revoked keys is checked.
This means that one cannot easily enumerate the working keys in existence
-- you have to keep a list. So, it's possible for someone to get a key
signed and for you not have any way to know that it exists. This is a bit
uncomfortable.
Is my understanding correct?
Following on from that, what do people tend to do as best practice?
- tightly restrict access to the CA key? (presumably!)
- always put passphrases on created keys?
- keep that list of signed keys very carefully because it can't be
verified?
- use a second authentication mechanism so that a signed key isn't enough?
- set keys to have relatively short lifetimes (I think the easy-rsa
scripts set 10 years by default)
- something else?
Many thanks in advance for any suggestions,
Gavin
More information about the ILUG
mailing list