Götz Babin-Ebell wrote:
In my view it lacks the following features:
1. Allow the user to specify his own PKCS#11 library.
2. Generate a new key.
This is wide outside of the OpenVPN usage.
Is is to be implemented in an PKCS#11 (key) managemement tool
but NOT in an VPN daemon.
The update is for easy-rsa, which is a simple to use
interface in order to issue certificates.
The easy-rsa is already provided by OpenVPN in order to ease
user in the mission of certificate enrollment.
3. Load the X.509 certificate into the token.
And this too has nonthing to do with the functionality of an
VPN daemon.
Please:
KISS.
Keep It Simple and Save.
This what all try to do.
OpenVPN is a small tool to do VPN tunneling.
Stuffing not related functionality that seems fancy into it
leads to bloatware.
True... But in order to allow people to use the solution,
they should be able to enroll certificates, easy-rsa is a
good starting point.
Since OpenVPN 2.1 will support PKCS#11 tokens, it would be
nice if the easy-rsa interface will also support PKCS#11 as
it support software keys.
Until now I've assumed that people who use PKCS#11 tokens
will enroll them using a different tool, Ondra suggested to
add PKCS#11 support to easy-rsa, this is fine! for my
opinion it should support a complete enrollment process.
Best Regards,
Alon Bar-Lev
