0

I have two Ubuntu servers with stunnel configured between them. Server A acts as a middleman server and forwards all inbound traffic to Server B (Openvpn server) through stunnel.

Stunnel configurations on server A and on server B are:

server A:

[openvpn_client]
accept = 0.0.0.0:443
connect = <serverB_ip>:993
cert = /etc/stunnel/cert1.pem
client = yes

server B:

client = no
[openvpn_server]
accept = :::993
connect = 127.0.0.1:1194
cert = /etc/stunnel/cert2.pem

Here my question is that should ssl certificates used cert1.pem and cert2.pem be identical? I tested the connection with both identical and different ssl certificates and it works fine in both cases.

What is the wise choice then? Should I use the same certificate on server A as the one on server B?

In case the firewall I am passing through can detect ssl fingerprints and block my connection will the difference between certificates become helpful?

PouJa
  • 35
  • 6
  • 1
    No, the same certificate should not be used. The certificates should be different. The certificate has two keys for a reason. One of the keys is private, and should only be known and accessible to one system. Making this key available to other systems defeats one of the reasons for using certificates. Certificates are all about trust. Doing things like disseminating a key that should be private with other entities that should not have the key erodes that trust. http://www.steves-internet-guide.com/ssl-certificates-explained/ – Greg Askew Mar 17 '23 at 10:05
  • Thank you so much. I see. – PouJa Mar 20 '23 at 11:05

1 Answers1

0

No, they should not be identical.

Certificates should identify an entity, either a person, or a computer, generally speaking.

In your scenario you only have two devices, but imagine a VPN network with many users. If one user should not have access any more, you can revoke that certificate, and block that user. If everyone uses the same cert, this will be impossible.

vidarlo
  • 6,654
  • 2
  • 18
  • 31