Hi Kim kim. you would get more appropriate advise for OpenVPN from: https://forums.openvpn.net/ Also see the OpenVPN HOWTO located there .. The manual page can also be very helpful: https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage The openvpn users mailing list is also a great source of help. Find the mailing lists at: https://openvpn.net/index.php/open-source/documentation/miscellaneous/61-mailing-lists.html With regard to your specific problem: If you have deleted your server side copies of the ca.key and ca.crt then all the associated server & client certificates/keys will be useless and can *never* be used by openvpn again. You would have to recreate a new PKI from scratch. Regards -- On 24/05/16 08:21, Kim kim wrote: > Hello, > > > I am a non English native and just a newbie, the opposite of an IT expert, and am totally stuck on this. If any of you can kindly give any advice on my stupid or basic questions I would indeed greatly, greatly appreciate your help: > > > Some while ago, for the first time in my life I (installed servers and) created certificates/keys, in order to use Openvpn on my stuffs. I successfully created those but then I felt I needed to figure out much more about other parts of server security, so I couldn't use those immediately but just leave those alone. > > > What I've done was, > > - I wanted to use Openvpn on my work and all other stuffs (I'm not an expert; I just wanted to learn and do the basic things, if I can.). > > - After reading some documents I understood/thought I should have "server" in order to use Openvpn. (Until then, I only have Microsoft Windows (not server) and virtual machine guest Windows (not server) on it.) > > - So I installed some Linux "server(s)" as guest os(es), for the first time in my life. > > here what I actually did was: 1. installed A server, 2. following the instructions on the Openvpn website etc, completed the steps issuing cerficates (CA, server, client) using easy-rsa, 3. installed B server as another guest os, 2. completed the issueing certificates (CA, server, client) steps. > > - But I felt I should learn and configure the rest part of server security in order to actually start using the system(s), so I couldn't go further at that time; so I just quit going further and had to leave those alone, without doing anything on it. > > - disconnected the internet connections from those guest OSes. > > > And then i've been worried about the certificates and keys that were properly issued at that time, I believe. I don't know what I have to be worried about actually and even if I really have to be worried about any things regarding it or not. > > At that time I created the certificates mainly for the use of all my basic(?)/initial(?) system, so the CAs, servers, and clients cerfiticates were only created and as far as I remember I didn't send these to others or share with any. > > But I'm worried as I hear server can be hacked very quickly after created... > > Haven't deleted/couldn't delete those two servers because I don't know if it will be needed, if the certificates and keys need to be revoked.... > > > I wonder, do I have to revoke all the cerfiticates and keys, including CA itself? Do I revoke the CAs using the same CAs? > > (And actually I had a window os, not server, too before installing those two servers, in which I also issued some certs and keys to use Openvpn (until then I didn't think about the need of "server" for using Openvpn), but then I just completely deleted the window device itself without making any revocation or whatsoever.. so currently I don't even have that system... Can I still even revoke those certificates and keys issued on the deleted device? how?...) > > > I now really need to proceed with my stuffs but I'm still stuck on it. > > I don't know what should I do to delete any risk/danger remaining, if any. Or can I simply delete these two servers) without revoking(?) any or whatsoever, without anything to worry about? > > Is a certificate supposed to certify a device (either CA, server or client)? So therefore don't I have to be even worried about the certs and keys if I no longer use the device itself (or if I delete the device itself)? What is the bottom line for compromised etc certificates/keys (maybe in security perspective or whatsoever...)? > > > I look forward to hearing from you. > > Thank you very much for your time and your help indeed! > > Best regards, > Kim > >
