From: Jon B. <jon...@la...> - 2006-02-23 14:09:46
|
Here is an addition to the howto-openvpn-ejbca.txt 7) when creating certificates for OpenVPN create 2 profiles in EJBCA. One profile for clients and one profile for servers. In the server profile choose the following certificate usages: KU: Digital Signature, Key Encipherment EKU: TLS Web Server Authentication In the client profile choose the following certificate usages: KU: Digital Signature EKU: TLS Web Client Authentication Then you can use the following in your OpenVPN config files to gain additional security and protection against man in the middle attack client.conf remote-cert-tls server server.conf tls-remote "/C=XXX,CN=[MyServer]" remote-cert-tls client In order to verify that the correct KU/EKU/DN is being used by both sides. JonB |