How to organize synchronization of certificates on different OpenVPN servers?

S

Sam Stay2017-09-22 00:33:00

linux

Sam Stay, 2017-09-22 00:33:00

SUBJECT.
Does anyone have any ideas or options for implementing this structure?
For example:

There are two (maybe more) servers. Each of them has OpenVPN installed and configured. Each has the Easy-RSA package installed. When generating client certificates, you need to somehow synchronize the database so that the client can connect to both the 1st server and the 2nd one.

I ask you not to offer schemes with mounting a folder from one server to another. I think this is stupid, because if the server from which the folder is mounted falls off, then the whole structure will fall apart.
Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

C

chupasaurus, 2017-09-22
@savenko_egor

Don't sync at all. The private key must not leave the place where it was stored after generation, except for 2 situations: a threat to the storage with the key and the threat of theft. In order to play with fire, they came up with certificate chains: create a separate root CA and sign the certificates of other servers with it.

V

ValdikSS, 2017-09-24
@ValdikSS

Client certificates do not need to be stored on the server. When connecting, the client sends the certificate itself to the OpenVPN server (but not the private key), the server checks the correctness of the digital signature and hierarchy, and allows the VPN connection. There should be no client certificates on the server at all. Synchronizing certificates between different PKIs with the same private keys is also not required (although this is not very good).