Is it risky to trust CAs in config files?
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
- OpenVpn Newbie
- Posts: 1
- Joined: Tue Aug 23, 2022 9:19 pm
Is it risky to trust CAs in config files?
I viewed my openvpn config file and it has a <ca> block. What does that mean? Is that CA installed system wide, or is it just used for the tls-crypt connection, and authenication with the server? And finally, is it safe to use because my friend gave me this config?
-
- OpenVPN Protagonist
- Posts: 11137
- Joined: Fri Jun 03, 2016 1:17 pm
Re: Is it risky to trust CAs in config files?
Do you trust your friend ?
- openvpn_inc
- OpenVPN Inc.
- Posts: 1333
- Joined: Tue Feb 16, 2021 10:41 am
Re: Is it risky to trust CAs in config files?
Hello Imply6032,
The CA does not get installed into your system. It is only used by OpenVPN to verify the identity of the server. Since OpenVPN servers use privately signed certificates you can't verify them using public entities that have root CAs in your system, so you need a copy of the server CA public certificate, and that's what you've got in the client profile. The optional control channel security method tls-crypt uses a separate key that is stored in a block that mentions something like <tls-crypt> or <tls-crypt-v2> and is for encrypting the control channel.
If you trust your friend then it is safe to use this profile.
Kind regards,
Johan
The CA does not get installed into your system. It is only used by OpenVPN to verify the identity of the server. Since OpenVPN servers use privately signed certificates you can't verify them using public entities that have root CAs in your system, so you need a copy of the server CA public certificate, and that's what you've got in the client profile. The optional control channel security method tls-crypt uses a separate key that is stored in a block that mentions something like <tls-crypt> or <tls-crypt-v2> and is for encrypting the control channel.
If you trust your friend then it is safe to use this profile.
Kind regards,
Johan
OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support