OpenVPN Client export has private key in it.

shoulders

When exporting Android or 'OpenVPN Connect' inline configurations with 'Client Export' for OpenVPN they include the private key.
-----BEGIN PRIVATE KEY-----

I was under the assumption that a private key should stay private on the server. Am I correct or is there a use of the private key I do not know?

thanks

viragomann

@shoulders
No, it's the client's private key.

The servers private key stays stored on pfSense. But you can export it from the cert manager if you want.

The private key is needed on the device, which has to provide its certificate to the remote device.

johnpoz

@viragomann you beat me too it ;)

shoulders

Thanks, I would of thought i would of been called a public key or something else. At least it is supposed to be there.

viragomann

@shoulders
The certificate is a kind of public key. It's handed out, when you establish a connection.

johnpoz

@shoulders it has your cert and then you have your private key for that cert..

Now I might mess up the steps here, its been forever since have looked into the specific of openvpn auth method. Or for that matter just ssl/tls in general, keep in might your also prob using the tls key which is also encrypting or signing or both depending on method of auth or auth and encryption of the control channel info - in general openvpn uses the static tls key to throw away bad traffic, etc. Like said its been a while..

But in a nutshell this should be somewhat close to the process.. And why you need the private key to your cert..

You might want to look up how the session key is exchanged in ssl, the server cert and client cert are not actually used for encryption of the data that will be exchanged they are used for auth and exchange of the symmetric key..

So you have the CA of the server cert, so you can validate that a cert the server sends is signed by the CA.. Just like how you validate that somewhere.domain.tld cert they present to you is signed by the CA.. And with the cert they send you and them signing it with their private key you can validate.. Look up how signing works.

You then use the cert they hand you that you know is signed by the CA, You then send your cert to them via this cert encryption, they know your cert has been signed by the same CA.. And they have their key to decrypt that traffic that you sent them.

Your signature on what you sent them is done with the private key you have. They can validate this with just the public, and anything they send to your public cert you would need the private key to decrypt, but it might only be used for you to sign what your sending. Like I said it has been a long while ;)

Short version is you validate that your talking to the correct server, and the server validates you are a valid client. And you exchange a session or symmetrical key that is used for the actual encryption and decryption of actual data you will send over the vpn.

You do need that private key, but I don't recall if they ever send you traffic that you need to decrypt with it - I believe its only used for the signing of the session key the client sends.. The server can validate your signature via your cert.

shoulders

@johnpoz thanks for all of the info. I have read it, but it is late here in Blighty (UK) so it might take me a while to mull this over. Information like this helps us newbies (i.e. me) a lot and is appreciated.