On 22/12/14 22:30, jack seth wrote:
Upon further inspection, I don't think this is the password for your private key. The screen says "Please enter the following 'extra' attributes to be sent with your certificate request. A challenge password [] An optional company name []" What is this password for?this is the 'challenge' password and is seldomly used; you can protect your certificate REQUEST using challenge password so that only the right CA can generate a certificate for it. This would protect the end user from receiving certificates signed by a malicious CA
Also, I am wondering if it is a good idea to protect the CA private key and client private keys with a password? What are the pros and cons? I have read that it wouldn't be good to protect the server's private key because it couldn't start up without putting in the password.
the CA private key should ALWAYS be protected using a private key - it's the most crucial part of your Public Key Infrastructure. It is also advisable to store the CA private key on a separate host - not on the client, not on the server. As for protecting client private keys using a password: it is a good security practice but a user can always remove the password, so don't think it adds THAT much security.
HTH, JJK
------------------------------------------------------------------------------ Dive into the World of Parallel Programming! The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
