[openssl-users] Is a certificate supposed to certify a device ...

[Kim kim]

Hello,


I am a non English native and just a newbie, the opposite of an IT expert, and am totally stuck on this. If any of you can kindly give any advice on my stupid or basic questions I would indeed greatly, greatly appreciate your help:


Some while ago, for the first time in my life I (installed servers and) created certificates/keys, in order to use Openvpn on my stuffs. I successfully created those but then I felt I needed to figure out much more about other parts of server security, so I couldn't use those immediately but just leave those alone.


What I've done was,

- I wanted to use Openvpn on my work and all other stuffs (I'm not an expert; I just wanted to learn and do the basic things, if I can.).

- After reading some documents I understood/thought I should have "server" in order to use Openvpn. (Until then, I only have Microsoft Windows (not server) and virtual machine guest Windows (not server) on it.)

- So I installed some Linux "server(s)" as guest os(es), for the first time in my life.

     here what I actually did was: 1. installed A server, 2. following the instructions on the Openvpn website etc, completed the steps issuing cerficates (CA, server, client) using easy-rsa, 3. installed B server as another guest os, 2. completed the issueing certificates (CA, server, client) steps.

- But I felt I should learn and configure the rest part of server security in order to actually start using the system(s), so I couldn't go further at that time; so I just quit going further and had to leave those alone, without doing anything on it.

- disconnected the internet connections from those guest OSes.


And then i've been worried about the certificates and keys that were properly issued at that time, I believe. I don't know what I have to be worried about actually and even if I really have to be worried about any things regarding it or not.

At that time I created the certificates mainly for the use of all my basic(?)/initial(?) system, so the CAs, servers, and clients cerfiticates were only created and as far as I remember I didn't send these to others or share with any.

But I'm worried as I hear server can be hacked very quickly after created...

Haven't deleted/couldn't delete those two servers because I don't know if it will be needed, if the certificates and keys need to be revoked....


I wonder, do I have to revoke all the cerfiticates and keys, including CA itself? Do I revoke the CAs using the same CAs?

(And actually I had a window os, not server, too before installing those two servers, in which I also issued some certs and keys to use Openvpn (until then I didn't think about the need of "server" for using Openvpn), but then I just completely deleted the window device itself without making any revocation or whatsoever.. so currently I don't even have that system... Can I still even revoke those certificates and keys issued on the deleted device? how?...)


I now really need to proceed with my stuffs but I'm still stuck on it.

I don't know what should I do to delete any risk/danger remaining, if any. Or can I simply delete these two servers) without revoking(?) any or whatsoever, without anything to worry about?

Is a certificate supposed to certify a device (either CA, server or client)? So therefore don't I have to be even worried about the certs and keys if I no longer use the device itself (or if I delete the device itself)? What is the bottom line for compromised etc certificates/keys (maybe in security perspective or whatsoever...)?


I look forward to hearing from you.

Thank you very much for your time and your help indeed!

Best regards,
Kim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160524/b6330a2d/attachment.html>