On Tue, Apr 19, 2016 at 02:07:23PM +0100, George Ross wrote: >> I run my own private CA with a structure like: >> >> rootCA ---- vpnSubCA >> | |-------- vpnCertificate1 >> | |-------- vpnCertificate2 >> | |-------- vpnCertificate3 >> | >> |---- otherCertificate1 >> |---- otherCertificate2 >> |---- otherCertificate3 >> |---- otherCertificate4
> It works for us. We have a four-level structure: the University's root CA > at the top, then our own local top-level CA, then our KCA, then the > individual certificates which the KCA issues against our Kerberos tickets. > We do present the entire trust chain, though. > We also have a tls-verify script which the endpoint uses to check that the > certificate chain presented corresponds exactly with what we would expect > given our structure. That's to prevent someone using a certificate signed > by somewhere else under our overall University tree. I understand you do the "don't trust the root CA" in the tls-verify script. Could I see the relevant part of the script for inspiration? Thanks in advance, -- Lionel Mamane ------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
