Different CA for clients and server
-
Hi guys,
I'm unable to figure out how to accomplish configuring a different openvpn server CA from client CA.
As per openvpn manual:To avoid a possible Man-in-the-Middle attack where an authorized client tries to connect to another client by impersonating the server, make sure to enforce some kind of server certificate verification by clients. There are currently four different ways of accomplishing this, listed in the order of preference: ... (4) **Sign server certificates with one CA and client certificates with a different CA**. The client config "ca" directive should reference the server-signing CA while the server config "ca" directive should reference the client-signing CA.
I'm preatty sure that Peer Certificate Authority option needs to be configured with server CA, but where to configure client CA into openvpn server wizard?
Thanks
-
@gvecchi said in Different CA for clients and server:
I'm preatty sure that Peer Certificate Authority option needs to be configured with server CA, but where to configure client CA into openvpn server wizard?
This is likely unnecessary as OpenVPN won't connect to another server if it isn't a server certificate these days. So unless the CA is compromised you won't see this kind of attack succeed.
That said, in the above text it explains what to do. On your server, pick the CA that signed the client certificates. In the client configuration, export and use the CA that signed the server certificate. The client export package doesn't support this, so you'd have to do it manually.
-
@jimp thanks for your reply.
May the documentation need to be corrected in order to reflect this scenario?