Re: [Ejbca-develop] patch: generating openvpn windows installer with certificate

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Here is an addition to the 	howto-openvpn-ejbca.txt

7) when creating certificates for OpenVPN create 2 profiles in EJBCA.
One profile for clients and one profile for servers.

In the server profile choose the following certificate usages:
	KU: Digital Signature, Key Encipherment
	EKU: TLS Web Server Authentication

In the client profile choose the following certificate usages:
	KU: Digital Signature
	EKU: TLS Web Client Authentication

Then you can use the following in your OpenVPN config files to gain
additional security and protection against man in the middle attack

client.conf
remote-cert-tls server

server.conf
tls-remote "/C=XXX,CN=[MyServer]"
remote-cert-tls client

In order to verify that the correct KU/EKU/DN is being used
by both sides.

JonB