On 25.07.23 21:12, Jason Long wrote:
So, if I need an auto-failover mechanism, then my servers (Physical or VM) key files must be the same
Not quite. You *could* give the servers/instances certs identifying them as "vpn-in-0001" through "vpn-in-4711", and then have the client configs check only the CA's signature and the "vpn-in-" part of the cert CN, for example. Using the *exact same* key+cert across all instances is a still-simpler approach (as in, no need to verify every *single* instance's crypto setup after updates, etc.), but leaves you with empty hands if the one cert ever gets leaked/revoked.
and if I don't need that mechanism, then all server configuration file can use the same keys. Am I right?
You *can* use the same or different server certs, and different certs *can* be generated from the same privkey or different ones. As I said, it's *your* trade-off (vulnerable monoculture vs. maintenance complexity, yadda yadda) to make.
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users