Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Safe to have PKI CA on same box as OpenVPN?

    Scheduled Pinned Locked Moved OpenVPN
    3 Posts 2 Posters 780 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      coreybrett
      last edited by

      Based on this page, https://openvpn.net/index.php/open-source/documentation/howto.html#pki and other general best practices about running a PKI, it seems like having the CA on the same box as OpenVPN server is not a good idea.

      Is there something about the way pfSense is setup that makes this ok?

      1 Reply Last reply Reply Quote 0
      • R
        ray-san
        last edited by

        Short answer: No, it doesn't make any difference.

        Long answer: It depends on your environment. If your pfSense Box is in a trusted environment (at home, in a company where only people who should have, both, physical and remote access, have access to the box), and you use the PKI only for VPN, and access from outside is only possible via VPN, it makes no real difference. It means, if someone, who shouldn't get access via vpn gets access, your PKI is already broke, so it doesn't make any difference if these bad guys get access to your PKI, because they already got it.

        Virtualised pfSense with Xen on Gentoo Linux

        1 Reply Last reply Reply Quote 0
        • C
          coreybrett
          last edited by

          Sounds reasonable. I am only using the pfSense hosted CA for the VPN.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.