OpenVPN Support Forum

I found this guide to avoid possible man-in-the-middle attack...

[OpenVPN 2.0 and below] Build your server certificates with the build-key-server script (see the easy-rsa documentation for more info). This will designate the certificate as a server-only certificate by setting nsCertType=server. Now add the following line to your client configuration:


ns-cert-type server

I was wondering what will happen if the client erase "ns-cert-type server" in his ovpn config? Will he be vulnerable to man-in-the-middle attack?

Can I use these both together on the client config? Do I only need to specify it at the client config? Or I need to include it too in the server config?

remote-cert-tls server
ns-cert-type server

==============

Also, most of the openvpn install instruction I see over the web says keep the "common name" as server when doing build-key-server server?
Which name are they referring to? This one:

./build-key-server server

or the common name that is asked after issuing the ./build-key-server command ?

I was wondering what will happen if the client erase "ns-cert-type server" in his ovpn config? Will he be vulnerable to man-in-the-middle attack?

yes the client is - in theory - vulnerable to MitM attacks. For such an attack to work, however, the attacker would need to have access to a (client) certificate and private key used by your openvpn setup. If the attacker has these then {s}he can pose as an alternative openvpn server.

Can I use these both together on the client config? Do I only need to specify it at the client config? Or I need to include it too in the server config?
Quote:
remote-cert-tls server
ns-cert-type server

yes you can use them both ; they need to be specified in the client configuration file.

Also, most of the openvpn install instruction I see over the web says keep the "common name" as server when doing build-key-server server?
Which name are they referring to? This one:
Quote:
./build-key-server server

or the common name that is asked after issuing the ./build-key-server command ?

seems like they're referring to that, but the advice is bogus - you can use any name when building the server key using ./build-key-server. It IS advisable to keep the server common name (the /CN= part of the certificate subject) to something logical/sensible/obvious. I would advise to stick the word 'server' in the name somewhere, but naming your openvpn server "server" is for sissies

What about the ca.key file? Does it have any purpose or I could just delete it after generating the ca.crt file?
Same with the *.csr files? Is it still needed?

Is there a list for active and revoked users?

do NOT delete the ca.crt or ca.key files - they are crucial for your entire PKI.
Keep the ca.key file on a separate disk/machine for security reasons.
The *.csr files can be deleted after the corresponding .crt file are generated.
Inside $KEY_DIR you will find all the files for your PKI; it also contains the "database" (index.txt) that is used to generate revocation lists etc. You can use the 'revoke-full' script to revoke a certificate. Note that you will need the ca.crt and ca.key files to generated a CRL (Certificate Revocation List).

ca.key file MUST be remain SECRET and DONT delete it....

if you check the cert creation process you will notice that
first the .csr is created and then the .crt

.csr as janjust said can be deleted AFTER crt is made.

(CSR Certificate Signing Request)

Michael.