Is it risky to trust CAs in config files?

Scripts to manage certificates or generate config files

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
Imply6032
OpenVpn Newbie
Posts: 1
Joined: Tue Aug 23, 2022 9:19 pm

Is it risky to trust CAs in config files?

Post by Imply6032 » Tue Aug 23, 2022 9:22 pm

I viewed my openvpn config file and it has a <ca> block. What does that mean? Is that CA installed system wide, or is it just used for the tls-crypt connection, and authenication with the server? And finally, is it safe to use because my friend gave me this config?

TinCanTech
OpenVPN Protagonist
Posts: 11137
Joined: Fri Jun 03, 2016 1:17 pm

Re: Is it risky to trust CAs in config files?

Post by TinCanTech » Tue Aug 23, 2022 9:29 pm

Do you trust your friend ?

User avatar
openvpn_inc
OpenVPN Inc.
Posts: 1332
Joined: Tue Feb 16, 2021 10:41 am

Re: Is it risky to trust CAs in config files?

Post by openvpn_inc » Wed Aug 24, 2022 9:33 am

Hello Imply6032,

The CA does not get installed into your system. It is only used by OpenVPN to verify the identity of the server. Since OpenVPN servers use privately signed certificates you can't verify them using public entities that have root CAs in your system, so you need a copy of the server CA public certificate, and that's what you've got in the client profile. The optional control channel security method tls-crypt uses a separate key that is stored in a block that mentions something like <tls-crypt> or <tls-crypt-v2> and is for encrypting the control channel.

If you trust your friend then it is safe to use this profile.

Kind regards,
Johan
Image OpenVPN Inc.
Answers provided by OpenVPN Inc. staff members here are provided on a voluntary best-effort basis, and no rights can be claimed on the basis of answers posted in this public forum. If you wish to get official support from OpenVPN Inc. please use the official support ticket system: https://openvpn.net/support

Post Reply