On Wed, 3 Nov 2010, Ross Walker wrote:
> As always it's better to use internally generated certificates that
> are password protected then either passwords or certificates alone.
> Having said that these password protected certificates are a PITA to
> distribute to users and to support remotely.
The biggest headache with OpenVPN is PKI. The OpenVPN source ships
with some scripts for doing certificate authority work, but eventually
the administrator has to figure out PKI for all but the very smallest
of deployments.
That said, OpenVPN deals very nicely with certificate revocations,
making it easy to void a certificate if a key is lost, stolen, or a
victim of the HR department.
I agree that distributing password-protected keys is a pain. In a
savvy environment, you can show people how to encrypt their own keys
using the openssl binary (even on Windows), but that certainly doesn't
work everywhere. On the upside, all the client OpenVPN GUIs I've used
(Windows, Tunnelblick for Mac, NetworkManager) handle encrypted keys
quite nicely these days, prompting for the passphrase at connection
time.
--
Paul Heinlein <> heinlein@xxxxxxxxxx <> http://www.madboa.com/
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
