Topic: OpenVPN-bridge in combination with an official SSL certificate

[Arnaud]

Hi,

I have got a simple official SSL certificate (domain.tld) installed my SME. I use it for https and imap purposes.

In the past, before I got this certificate, I installed OpenVPN for tests on the SME as discribed into the wiki https://wiki.contribs.org/OpenVPN_Bridge, also based on a self generated Authority Certificate made by PHPki => it worked fine.

Now I would like to configure OpenVPN on my prod SME for a durable use.

First question: as this is only for private use, is there an advantage to use the official CA instead of the self-generated on by PHPki?

Following question: is there a possibility to make PHPki use the official CA (in fact this is a CA + 2 intermediate certificates) to generate the OpenVPN-server and OpenVPN-client certificates?
At this time, all my ssl things are located unter the folders /home/e-smith/ssl*.
A folder /opt/phpki/phpki-store/CA/certs exists and contains "cacert.pem" = the self generated ca certificate I guess.
But there are another folders with files that I don't have from the official certificate:
- /opt/phpki/phpki-store/CA/crl contains 2 files "cacrl"
- /opt/phpki/phpki-store/CA/private contains cakey.pem (the private key refering to the self-generated ca?) => could my SSL ptivate key replace it?
  As well as "dhparam" and "takey" that I don't have from the official certificate too.

How should I proceed?

Thanks.
Bye
Arnaud

[Daniel B.]

First question: as this is only for private use, is there an advantage to use the official CA instead of the self-generated on by PHPki?

No, there's no advantage, as you'll have to put the trust chain on the other peer anyway

Following question: is there a possibility to make PHPki use the official CA (in fact this is a CA + 2 intermediate certificates) to generate the OpenVPN-server and OpenVPN-client certificates?

No, there's no way, because you don't have access to the CA private key to sign certificates. You could buy official certificates for each client, but I see no benefit either. Or you can mix both solution: use the official cert for the server, and privates ones (signed with PHPki) for the clients: you do not need to use the same PKI in both side, as long as the CA Cert on one side can verify the cert of the other side.

Cheers,
Daniel

[Arnaud]

Thanks for your quick reply Daniel.

Your information is very clear: I'll let Openvpn outside of the official CA.

Just for my understanding:

Or you can mix both solution: use the official cert for the server...

Is it possible with a basic SSL certificate? OpenVPN ask for DH-parameters and I don't think to have got them....Or are they given with every cert?

Thanks.
Bye
Arnaud

[Daniel B.]

DH parameters are completely independant of the certificate. You can generate as many dh param as you want with

Code: [Select]

openssl dhparam -out dhparam.pem 2048


[Arnaud]

Learned again something! 
Thanks!
Arnaud