Page 1 of 1
Is it risky to trust CAs in config files?
Posted: Tue Aug 23, 2022 9:22 pm
by Imply6032
I viewed my openvpn config file and it has a <ca> block. What does that mean? Is that CA installed system wide, or is it just used for the tls-crypt connection, and authenication with the server? And finally, is it safe to use because my friend gave me this config?
Re: Is it risky to trust CAs in config files?
Posted: Tue Aug 23, 2022 9:29 pm
by TinCanTech
Do you trust your friend ?
Re: Is it risky to trust CAs in config files?
Posted: Wed Aug 24, 2022 9:33 am
by openvpn_inc
Hello Imply6032,
The CA does not get installed into your system. It is only used by OpenVPN to verify the identity of the server. Since OpenVPN servers use privately signed certificates you can't verify them using public entities that have root CAs in your system, so you need a copy of the server CA public certificate, and that's what you've got in the client profile. The optional control channel security method tls-crypt uses a separate key that is stored in a block that mentions something like <tls-crypt> or <tls-crypt-v2> and is for encrypting the control channel.
If you trust your friend then it is safe to use this profile.
Kind regards,
Johan