Where to keep key files in my PKI

Scripts to manage certificates or generate config files
Post Reply
pmcl77
OpenVpn Newbie
Posts: 3
Joined: Wed Sep 07, 2016 5:39 am

Where to keep key files in my PKI

Post by pmcl77 » Thu Oct 17, 2019 10:34 pm

Hi,

I am using the openVPN server on my synology diskstation with manual configuration and all the cert bells & whistles for increased security (private purpose).

Now I am aware that securitywise it is advised to have the CA on a seperate machine (neither server nor client). However I do not have the luxury of having an extra computer just for that. What is the recommended way of keeping the files (.crt .key) secure? For now I have my CA on my server just where they had been created, a folder that only root has access to. Isn`t that secure enough? if someone hacks my NAS and gets to those files, he is already in anyway, so it is too late already!? Or would it be wise to additionally put the files in a encrypted and password protected container?

Any other safety tips?

another question: I read somewhere the crl.pem would also need to be copied to clients, but somehow that does not make sense to me?

Thanks

Post Reply