I was questionning myself about using the pki of the openvpn for other stuff my WIFI infra... You know, i don't want to handle several CA or CRL... is it possible? I never do it, the openvpn PKi is my first one
Cheers,
using the openvpn pki for other stuff
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
-
greeg
- OpenVpn Newbie
- Posts: 5
- Joined: Mon Oct 18, 2010 2:04 am
using the openvpn pki for other stuff
Hello,
I was questionning myself about using the pki of the openvpn for other stuff my WIFI infra... You know, i don't want to handle several CA or CRL... is it possible? I never do it, the openvpn PKi is my first one
Cheers,
I was questionning myself about using the pki of the openvpn for other stuff my WIFI infra... You know, i don't want to handle several CA or CRL... is it possible? I never do it, the openvpn PKi is my first one
Cheers,
-
krzee
- Forum Team
- Posts: 728
- Joined: Fri Aug 29, 2008 5:42 pm
Re: using the openvpn pki for other stuff
It should work, but may not...
PKI works based on your cert (public key) being signed by the CA's private key (the most secret piece of your PKI)
Then the other side can verify your cert was signed by the CA by using the CA cert.
Then you verify the other side's cert is signed by the CA's private key by checking against your ca cert.
Once you trust each other through this method you can start communicating.
Optionally you can check for more information as well. For example, in openvpn best practice is to specially sign the server cert as a server, then have clients make sure it was signed that way, in order to stop man-in-the-middle attacks.
If your other software that requires a PKI needs something extra in the PKI, you may want to use their tool to make your config, and it should work for OpenVPN
PKI works based on your cert (public key) being signed by the CA's private key (the most secret piece of your PKI)
Then the other side can verify your cert was signed by the CA by using the CA cert.
Then you verify the other side's cert is signed by the CA's private key by checking against your ca cert.
Once you trust each other through this method you can start communicating.
Optionally you can check for more information as well. For example, in openvpn best practice is to specially sign the server cert as a server, then have clients make sure it was signed that way, in order to stop man-in-the-middle attacks.
If your other software that requires a PKI needs something extra in the PKI, you may want to use their tool to make your config, and it should work for OpenVPN