Single CA - Multiple (Separate) Servers

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
IglooDan
OpenVpn Newbie
Posts: 3
Joined: Sat Oct 14, 2017 12:16 pm

Single CA - Multiple (Separate) Servers

Post by IglooDan » Sat Oct 14, 2017 12:30 pm

Hello,

I'm in the process of deploying multiple GMS routers to different sites around the country.
Each GSM router will be acting as a OpenVPN server for both myself and the customer of each site to access.

Up to press I have created a CA which moving forward I'll refer to as IglooDanCompany-CA.
Using the numerous guides I can easily create a server key/certificate and subsequent user key/certificate pairs.

My query is how do the easy-rsa scripts know which server each user is associated with or do all users have access to all servers which originally came from the original CA? Can I have one CA which signs a server for each of my sites and then generate user keys to access each server but not access to all? The setup I was is like below, with each user limited to their respective server.

Thanks.

IglooDanCompany-CA
---Site1
------Site1User1
------Site1User2
------Site1User3
---Site2
------Site2User1
------Site2User2
------Site2User3
---Site3
------Site3User1
------Site3User2
------Site3User3

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Single CA - Multiple (Separate) Servers

Post by TinCanTech » Sat Oct 14, 2017 2:36 pm


IglooDan
OpenVpn Newbie
Posts: 3
Joined: Sat Oct 14, 2017 12:16 pm

Re: Single CA - Multiple (Separate) Servers

Post by IglooDan » Sat Oct 14, 2017 3:07 pm

TinCanTech,

Thanks for reply, from what I can make of the link it wont separate the user access but I'm not sure I'm understanding it correctly.

If I redraw my setup as a tree...

IglooDanCompany-CA
|
________|___________
| |
Server1 Server2
| |
Server1User1 Server2User1
Server1User2 Server2User2
Server1User3 Server2User3

If I have created the IglooDanCompany-CA I can easily go on to create Server1 and then create Server1User1 etc.
Creating Server2 is then just a replication of creating Server2, when I come to create Server2User1 how do I dictate that Server2User1 is to be a key for Server2?
In the above diagram, would all six users have access to both Server1 and Server2 or can I limit each user to a single server?

Thanks.

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Single CA - Multiple (Separate) Servers

Post by TinCanTech » Sat Oct 14, 2017 3:21 pm

It is a very complicated subject for which there are many different answers.

You may find it more useful to check the users mailing list or even buy a book:
https://openvpn.net/index.php/open-source/books.html

The authors are available via the mailing list and can probably advise you best.
https://sourceforge.net/p/openvpn/mailman/

IglooDan
OpenVpn Newbie
Posts: 3
Joined: Sat Oct 14, 2017 12:16 pm

Re: Single CA - Multiple (Separate) Servers

Post by IglooDan » Sat Oct 14, 2017 3:33 pm

TinCanTech,

Thanks for the advice.
For the sake of simplicity, I may be best creating a new CA for each site.
I'll look in to the books.

Thanks again.

Post Reply