I assume you meant a CA private key should always be protected by a password
correct? Does using a password for the CA (or any key) require you to encrypt
the key? How can a user remove a password if you have encrypted the client
private key?
Date: Tue, 23 Dec 2014 00:38:14 +0100
From: janj...@nikhef.nl
To: bird_...@hotmail.com; pbychik...@yahoo.com;
openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] What is the password for when generating keys?
On 22/12/14 22:30, jack seth wrote:
Upon further inspection, I don't think this is the
password for your private key. The screen says "Please enter
the following 'extra' attributes to be sent with your
certificate request. A challenge password [] An optional
company name []" What is this password for?
this is the 'challenge' password and is seldomly used; you can
protect your certificate REQUEST using challenge password so that
only the right CA can generate a certificate for it. This would
protect the end user from receiving certificates signed by a
malicious CA
Also, I am wondering if it is a good idea to
protect the CA private key and client private keys with a
password? What are the pros and cons? I have read that it
wouldn't be good to protect the server's private key because it
couldn't start up without putting in the password.
the CA private key should ALWAYS be protected using a private key -
it's the most crucial part of your Public Key Infrastructure. It is
also advisable to store the CA private key on a separate host - not
on the client, not on the server.
As for protecting client private keys using a password: it is a good
security practice but a user can always remove the password, so
don't think it adds THAT much security.
HTH,
JJK
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
