> I run my own private CA with a structure like: > > rootCA ---- vpnSubCA > | |-------- vpnCertificate1 > | |-------- vpnCertificate2 > | |-------- vpnCertificate3 > | > |---- otherCertificate1 > |---- otherCertificate2 > |---- otherCertificate3 > |---- otherCertificate4
It works for us. We have a four-level structure: the University's root CA at the top, then our own local top-level CA, then our KCA, then the individual certificates which the KCA issues against our Kerberos tickets. We do present the entire trust chain, though. We also have a tls-verify script which the endpoint uses to check that the certificate chain presented corresponds exactly with what we would expect given our structure. That's to prevent someone using a certificate signed by somewhere else under our overall University tree. Given what I think you're requiring I reckon that's what you need to do too. -- George D M Ross MSc PhD CEng MBCS CITP, University of Edinburgh, School of Informatics, 10 Crichton Street, Edinburgh, Scotland, EH8 9AB Mail: g...@inf.ed.ac.uk Voice: 0131 650 5147 Fax: 0131 650 6899 PGP: 1024D/AD758CC5 B91E D430 1E0D 5883 EF6A 426C B676 5C2B AD75 8CC5 The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
pgpAGjZ8qhGVY.pgp
Description: PGP signature
------------------------------------------------------------------------------ Find and fix application performance issues faster with Applications Manager Applications Manager provides deep performance insights into multiple tiers of your business applications. It resolves application problems quickly and reduces your MTTR. Get your free trial! https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
