I think that this subject had been brought before, but anyway...
I used openVPN with certificate authenticating - public and private key for the client.
My main concern is the these keys can be copied to another computer.
Of course, there is an option to add user/password in addition to the certificate, but what if someone doesn't trust some of the users, and they can copy the keys (specially their private key) to someone else and give them their password.
Now, in windows (
) there are options to import the private key with a password and make it as unexportable.Is there a similar way in OpenVPN (I know that there is the option to specify password for the private key - but in this case, the user also knows all the passwords).
How about that the IT who knows the decryption password of the private key, somehow imports it to the client's configuration folder (or other internal configuration of the Operating-system itself) , the file is encrypted/changed and the VPN software can use it regularly.
But the file can't be exported.
(Another solution is to use tokens, but there are issues managing it).
Please advise
Thank you
Eranma