1 I.m not sure this is possible, but maybe it will work with client-cert-not-required; I have never tried, though
2 I'm not sure what this means, because certificates are public keys, bound with some attributes (like common name) and the bundle signed by the CA, and the communicating entity retains and uses the private key. 3 most secure, though you still have to get the certificate from the CA machine to the client, which you said is a problem for you. some folks have all clients use the same pre-generated cert, and rely on different methods for client authorization, by way of <outbind://8/#opt_auth_user_pass_verify> auth-user-pass-verify. -dave -----Original Message----- From: Oana Comanici [mailto:oana.coman...@yahoo.com] Sent: Sunday, April 12, 2009 6:10 PM To: openvpn-devel@lists.sourceforge.net Subject: [Openvpn-devel] Generating certificate/key pair locally on clientmachine Hello, My name is Oana Comanici and I am developing a zero config application based on OpenVPN. I have encountered an issue regarding the generation of certificates for clients. Since the application is supposed to require as little configuration as possible, the actual method for generating the certificates on the server machine and copying them afterwards to the client is not appropriate. There are three possible solutions that I have found so far, but I don't know exactly which one is easier to implement and more efficient. 1. The clients could use self-signed SSL certificates for the communication with the server. At the moment, OpenVPN servers only accept connections from clients with certificates signed by the server's CA. However, it would decrease the level of security provided by the VPN. 2. The communication between client and server would be no longer based on certificates, but on a public key and a private key. Does the actual OpenVPN implementation offers any kind of support for this method? 3. The server acts as a CA, signing the Certificate Signing Request sent by the client. This would probably imply that the server was listening on a separate port for a .csr file from a file. These are the solutions that I have thought of so far, but if there is a more efficient one, please tell me. Also, I would like to know which of the three ideas would be the best. Thank you, Oana
