Safe to have PKI CA on same box as OpenVPN?



  • Based on this page, https://openvpn.net/index.php/open-source/documentation/howto.html#pki and other general best practices about running a PKI, it seems like having the CA on the same box as OpenVPN server is not a good idea.

    Is there something about the way pfSense is setup that makes this ok?



  • Short answer: No, it doesn't make any difference.

    Long answer: It depends on your environment. If your pfSense Box is in a trusted environment (at home, in a company where only people who should have, both, physical and remote access, have access to the box), and you use the PKI only for VPN, and access from outside is only possible via VPN, it makes no real difference. It means, if someone, who shouldn't get access via vpn gets access, your PKI is already broke, so it doesn't make any difference if these bad guys get access to your PKI, because they already got it.



  • Sounds reasonable. I am only using the pfSense hosted CA for the VPN.


Log in to reply