[openssl-users] Is a certificate supposed to certify a device ...

debbie10t debbie10t at gmail.com
Tue May 24 13:58:01 UTC 2016


Hi Kim kim.

you would get more appropriate advise for OpenVPN from:
https://forums.openvpn.net/

Also see the OpenVPN HOWTO located there ..
The manual page can also be very helpful:
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

The openvpn users mailing list is also a great source of help.
Find the mailing lists at:
https://openvpn.net/index.php/open-source/documentation/miscellaneous/61-mailing-lists.html

With regard to your specific problem:
   If you have deleted your server side copies of the ca.key and ca.crt
   then all the associated server & client certificates/keys will be useless
   and can *never* be used by openvpn again.
   You would have to recreate a new PKI from scratch.

Regards
-- 




On 24/05/16 08:21, Kim kim wrote:
> Hello,
>
>
> I am a non English native and just a newbie, the opposite of an IT expert, and am totally stuck on this. If any of you can kindly give any advice on my stupid or basic questions I would indeed greatly, greatly appreciate your help:
>
>
> Some while ago, for the first time in my life I (installed servers and) created certificates/keys, in order to use Openvpn on my stuffs. I successfully created those but then I felt I needed to figure out much more about other parts of server security, so I couldn't use those immediately but just leave those alone.
>
>
> What I've done was,
>
> - I wanted to use Openvpn on my work and all other stuffs (I'm not an expert; I just wanted to learn and do the basic things, if I can.).
>
> - After reading some documents I understood/thought I should have "server" in order to use Openvpn. (Until then, I only have Microsoft Windows (not server) and virtual machine guest Windows (not server) on it.)
>
> - So I installed some Linux "server(s)" as guest os(es), for the first time in my life.
>
>       here what I actually did was: 1. installed A server, 2. following the instructions on the Openvpn website etc, completed the steps issuing cerficates (CA, server, client) using easy-rsa, 3. installed B server as another guest os, 2. completed the issueing certificates (CA, server, client) steps.
>
> - But I felt I should learn and configure the rest part of server security in order to actually start using the system(s), so I couldn't go further at that time; so I just quit going further and had to leave those alone, without doing anything on it.
>
> - disconnected the internet connections from those guest OSes.
>
>
> And then i've been worried about the certificates and keys that were properly issued at that time, I believe. I don't know what I have to be worried about actually and even if I really have to be worried about any things regarding it or not.
>
> At that time I created the certificates mainly for the use of all my basic(?)/initial(?) system, so the CAs, servers, and clients cerfiticates were only created and as far as I remember I didn't send these to others or share with any.
>
> But I'm worried as I hear server can be hacked very quickly after created...
>
> Haven't deleted/couldn't delete those two servers because I don't know if it will be needed, if the certificates and keys need to be revoked....
>
>
> I wonder, do I have to revoke all the cerfiticates and keys, including CA itself? Do I revoke the CAs using the same CAs?
>
> (And actually I had a window os, not server, too before installing those two servers, in which I also issued some certs and keys to use Openvpn (until then I didn't think about the need of "server" for using Openvpn), but then I just completely deleted the window device itself without making any revocation or whatsoever.. so currently I don't even have that system... Can I still even revoke those certificates and keys issued on the deleted device? how?...)
>
>
> I now really need to proceed with my stuffs but I'm still stuck on it.
>
> I don't know what should I do to delete any risk/danger remaining, if any. Or can I simply delete these two servers) without revoking(?) any or whatsoever, without anything to worry about?
>
> Is a certificate supposed to certify a device (either CA, server or client)? So therefore don't I have to be even worried about the certs and keys if I no longer use the device itself (or if I delete the device itself)? What is the bottom line for compromised etc certificates/keys (maybe in security perspective or whatsoever...)?
>
>
> I look forward to hearing from you.
>
> Thank you very much for your time and your help indeed!
>
> Best regards,
> Kim
>
>



More information about the openssl-users mailing list