0

My current setup involved a self signed root CA, which has then signed my SSL/TLS CA and my OpenVPN client CA. The SSL/TLS CA signs the certificates of my servers, and the OpenVPN client CA signs the certificates of OpenVPN clients.

Should the OpenVPN client CA be in its own hierarchy, separate from the root CA? I'm concerned that if a user imports the root CA and trusts it, someone with an OpenVPN client certificate signed by my CA could be able to use that certificate for servers, then be trusted without any further user intervention. Unless I'm missing something with keyUsage?

OpenSSL is being used.

Robin McCorkell
  • 273
  • 1
  • 10
  • Exactly, Key usage would be what you want, to only allow Client Authentication for OpenVPN client certificates – MichelZ Apr 09 '14 at 13:15
  • The obvious one is the `clientAuth` extended key usage, but the normal key usages are a little bit cryptic. Could you clarify what I should use, perhaps in an answer so I can mark it as accepted? :D – Robin McCorkell Apr 09 '14 at 13:44
  • Yes, it's Enhanced Key Usage. The standard Key usage field is for "Digital Signature" or "Key Encipherment" (So that you can restrict the certificate for signature only, or for encryption only) – MichelZ Apr 09 '14 at 14:01

1 Answers1

1

Enhanced Key Usage is what you're after.

You can set this to Client Authentication (OID: 1.3.6.1.5.5.7.3.2)

MichelZ
  • 11,068
  • 4
  • 32
  • 59