Hello,
My name is Oana Comanici and I am developing a zero config application based on
OpenVPN. I have encountered an issue regarding the generation of certificates
for clients. Since the application is supposed to require as little
configuration as possible, the actual method for generating the certificates on
the server machine and copying them afterwards to the client is not
appropriate.
There are three possible solutions that I have found so far, but I don't know
exactly which one is easier to implement and more efficient.
1. The clients could use self-signed SSL certificates for the communication
with the server. At the moment, OpenVPN servers only accept connections from
clients with certificates signed by the server's CA. However, it would decrease
the level of security provided by the VPN.
2. The communication between client and server would be no longer based on
certificates, but on a public key and a private key. Does the actual OpenVPN
implementation offers any kind of support for this method?
3. The server acts as a CA, signing the Certificate Signing Request sent by the
client. This would probably imply that the server was listening on a separate
port for a .csr file from a file.
These are the solutions that I have thought of so far, but if there is a more
efficient one, please tell me. Also, I would like to know which of the three
ideas would be the best.
Thank you,
Oana
