18 Mar
2016
18 Mar
'16
7:41 a.m.
On Fri, Mar 18, 2016 at 1:24 AM, Heikki Hannikainen <hessu(a)hes.iki.fi> wrote:
Checking for server key usage in OpenVPN is an optional configuration
of the client. Going through the extra steps of creating your own
root CA and distributing it to your clients is only necessary if you
want your them to turn that check on. The only benefit of doing that
would be to prevent other LotW certificate holders from being able to
impersonate your server after a successful man-in-the-middle attack on
your external network traffic or DNS. They wouldn't be able to do
that to you without exposing their own identity (by proving they have
access to the private key of their LotW cert).
you should supply all of those LotW certificates in
ca.crt. Yes, you can have them all in there, concatenated, OpenVPN will
support that.
I didn't realize OpenVPN would accept multiple Root CAs. That's great.
- server.crt*
= Your personal LotW cert concatenated with the
intermediate that signed it.
I don't think that will work. Your personal LotW cert does not contain "key
usage" parameters that would allow it to be used as a server certificate, so
the openvpn client probably will reject it. (If it doesn't, it is
misconfigured.)
You should set up a private CA and have it issue a server certificate to be
used for the server cert, and the client should use that private CA's
certificate as the "ca cert".