how to create machine id based key or cert

[pradeepg99]

hi,
I am pradeep
I create open vpn for my home(client) and office(server)in windows xp and windows 7 its working fine,
but anyone can copy my client or servers keys and certificates and connect from other side. how can i create strong key/cert. (machine mac id based keys and cert.) or any other solution. pl help me

thank u

[maikcat]

hi pradeep,

if your clients using windows ,then you can "install" the certs to their pcs
so they cannot "extract" them...

(machine mac id based keys and cert.)

AFAIK there is no such thing....(yet)

Michael.

[pradeepg99]

how can i create machine (mac id based ) certificates and keys for server and clients, so that no one can
copy my cert & keys and connect from other side.

[maikcat]

SSL/TLS certificates has nothing to do with mac addresses...

i repeat,you can install them inside windows and noone can extract them out.

Michael.

[IncreasedSecurity]

Is it possible for you to use firewall rules to prevent IP addresses you don't expect to need to connect from connecting (for instance, all international IP addresses if you're only operating inside your own national borders)?

If all sites have static IP, so much the better. If some are dynamic, and out of your control, that makes it harder, but you can probably still block either or both of, say, Iceland or Bangladesh, unless you do business in both of those countries. Repeat for other countries around the world.

It's absolutely not perfect - you really do need to keep control over your certs, but it helps to limit attackers somewhat.

I would also note that if an attacker can steal the cert, the attacker may also be able to either steal the machine (which you'd notice), or create one or more drive imaged "clones" of it (which you wouldn't notice), so even machine id based clients can be fairly easily duplicated in most cases.