-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi,
-‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, 20 May 2021 22:35, tincantech via Openvpn-devel
<openvpn-devel@lists.sourceforge.net> wrote:
> Hi,
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Thursday, 20 May 2021 22:22, Jan Just Keijser janj...@nikhef.nl wrote:
>
> > On 20/05/21 23:12, tincantech wrote:
> >
> > > [...]
> > >
> > > > > So, why switch to .pem when it has never been used before by openvpn?
> > > > > If you are all happy to let it go that way then so-be-it,
> > > > > Hopefully this clarifies things:
> > > >
> > > > - the default output format of OpenSSL is PEM-encoded ; openssl uses
> > > > the
> > > > default extension .pem
> > > >
> > > > - the OpenVPN .crt and .key files are ALSO PEM-encoded by default, but
> > > > they've just been named differently by the easy-rsa tools to ensure
> > > > that
> > > > the files can be easily loaded on Windows
> > > >
> > > > - FTR: nearly all webservers I have ever seen are configured to use a
> > > > hostcert.pem and hostkey.pem and my guess is that there are (still)
> > > > more Linux-based webservers out there than OpenVPN clients and
> > > > servers.
> > > > Having said that, I do agree that after using .crt/.key files left
> > > > and
> > > > right (to accomodate Windows users) for over 15 years, it does seem
> > > > confusing to start using files named .pem for peer-fingerprinting
> > > > all
> > > > of sudden. On the other hand, with peer-fingerprinting you don't
> > > > HAVE a .crt file (at least, you don't need one, technically) but
> > > > only
> > > > a .key file. So choosing a different extension for
> > > > peer-fingerprinting
> > > > does have its merits.
> > > >
>
> > > FTR: Openvpn still exchanges the full certificates in
> > > peer-fingerprint mode.
> > >
>
> > meh ... I guess it was easier to implement it that way at the TLS level...
>
> I cannot comment on the code but there is the case of older clients which
> require
> self-signed server".crt" (Easy-RSA) in place of the CA cert.
>
> > IMO that does add a "+1" to using .crt/.key extensions - otherwise it
> > might confuse the heck out of end users (like overwriting the private
> > key with the public cert etc ... )
>
> That is another good point.
>
> > How do the examples distinguish between the cert and the private key in
> > this case then?
>
> Generally, the distinction between what is private and what is public
> has not been very well covered. Other than the notable exception of
> "Protect your Private CA key at all costs!"
>
> I have included this Private v Public information in the easy-pfp output.
> Seems like the only way to get things done sometimes is do-it-yourself ;-)
>
> Anyway, all other points aside, the point is that: Changing to .pem (not PEM)
> feels like an unnecessary complication.
>
I would like to hammer one final nail into this discussion.
Openvpn option names and inline tags ALL use <cert>ificate .crt and <key> .key.
They do not use .pem or PEM and none of the Official online documentation,
to date, references use of a {name}.pem file, other than far-flung cases.
The files generated in this tutorial will all be PEM encoded regardless.
This is why I asked the question of why Openvpn suddenly chooses to change
to a .pem extension and add this unnecessary complication.
Real users may see this as another hurdle which they just don't want to jump.
Do you want to drive them away .. ?
As I am also banned from #openvpn-meeting, so I leave this for you to discuss.
--
Richard
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail
wsBzBAEBCAAGBQJgpvNyACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ1U5wgAza4n5mxniWpvVrkSxRCN3TEc0MEafFb+Eza0uL/l9i5tVDDQ
A4ZwjBuRGgteJzNhbe3Q+YJzZZ1hjf9k9FjPwGtnUK49IZZt8OOe60bfiQt7
aSmhKMRyZzzjRgSv6QNdPWsZEB3JceZ572+EIi5zfQmz6V1q8USsPQPaUZoa
k65YA9Z+pU6xsm1+lKMLGbi8rzIvIhNYCEIZ4pGl5OzckQP7o7JKUanhOoHH
7KrD5Nu5ad4CtgMv72RYWCbmW5vsqIcOrYJIG7mASodCTGkL2JH5F2i8fVUJ
rg5OrvVViLewxTYyGCVc+PZ7ukB6l/bEYd8efA1G4carr6+hRDTfSA==
=T6wH
-----END PGP SIGNATURE-----
publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys
publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
