Re: [openssl-users] Diffie-Hellman Questions

[Michael Wojcik]

> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Norm Green
> Sent: Tuesday, May 24, 2016 13:40
> 
> I've tried both:
> 
> SSL_CTX_set_cipher_list("AECDH")
> 
> and:
> 
> SSL_CTX_set_cipher_list("AECDH-AES256-SHA")
> 
> on both the client and server side, both of which result in the dreaded
> "no shared cipher" error:
> 
> error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared
> cipher:s3_srvr.c:1417:

You might run a wire trace to see what suites the client is actually 
advertising.

And you are using TLS, right?

For AECDH* (or any ECC suite), don't you have to tell OpenSSL what curve to 
use? I haven't implemented that bit myself in any applications, but my 
understanding is that with OpenSSL 1.0.2 you can just call 
SSL_CTX_set_ecdh_auto(ctx, 1). With 1.0.1 you have to specify a particular 
named curve with SSL_CTX_set_tmp_ecdh.

-- 
Michael Wojcik
Technology Specialist, Micro Focus

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] (SPAM) I: Question on ccm mode in openssl

[Erwann Abalea]

Bonjour,

CCM mode is already implemented in OpenSSL.

Cordialement,
Erwann Abalea

Le 24 mai 2016 à 17:43, Christian Adja 
> a écrit :



Il Martedì 24 Maggio 2016 17:21, Christian Adja 
> ha scritto:


Good morning, i'm a master student at telecom paristech, i France, i'm working 
on openssl to add ieee and etsi certs for client. I saw that the ccm mode is 
not implemented in current openssl 1.0.2g version. So i would know if there a 
way to add the ccm mode? Thanks.

Best regards


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Diffie-Hellman Questions

[Salz, Rich]

> Any suggestions on how to proceed?

Sorry, no.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Diffie-Hellman Questions

[Norm Green]

I've tried both:

SSL_CTX_set_cipher_list("AECDH")

and:

SSL_CTX_set_cipher_list("AECDH-AES256-SHA")

on both the client and server side, both of which result in the dreaded 
"no shared cipher" error:


error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared 
cipher:s3_srvr.c:1417:


The following works but is not what I want:

SSL_CTX_set_cipher_list("ADH")


Any suggestions on how to proceed?

Norm Green


On 5/24/16 10:45, Salz, Rich wrote:

  >./openssl ciphers -v 'ALL:aNULL' |grep ECDH |grep "Au=None"
AECDH-AES256-SHASSLv3 Kx=ECDH Au=None Enc=AES(256)  Mac=SHA1
AECDH-AES128-SHASSLv3 Kx=ECDH Au=None Enc=AES(128)  Mac=SHA1
AECDH-RC4-SHA   SSLv3 Kx=ECDH Au=None Enc=RC4(128)  Mac=SHA1
AECDH-DES-CBC3-SHA  SSLv3 Kx=ECDH Au=None Enc=3DES(168)
Mac=SHA1
AECDH-NULL-SHA  SSLv3 Kx=ECDH Au=None Enc=None  Mac=SHA1

1) What arg to SSL_CTX_set_cipher_list() to I need to use to get these?
I previously tried "kEECDH:kEDH" and that didn't work.

Use one of the names in the first column.
  

2) These ciphers all report as SSLv3.

That is the protocol version where they were first defined.




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Certificate Transparency: OCSP response

[stas730]

I want to test all 3 types of CT. I know how to implement two: TLS extension
& X.509 extension. But how to implement OCSP response? I can add response
file, but how to change OID?



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Certificate-Transparency-OCSP-response-tp66295.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Diffie-Hellman Questions

[Salz, Rich]

>  >./openssl ciphers -v 'ALL:aNULL' |grep ECDH |grep "Au=None"
> AECDH-AES256-SHASSLv3 Kx=ECDH Au=None Enc=AES(256)  Mac=SHA1
> AECDH-AES128-SHASSLv3 Kx=ECDH Au=None Enc=AES(128)  Mac=SHA1
> AECDH-RC4-SHA   SSLv3 Kx=ECDH Au=None Enc=RC4(128)  Mac=SHA1
> AECDH-DES-CBC3-SHA  SSLv3 Kx=ECDH Au=None Enc=3DES(168)
> Mac=SHA1
> AECDH-NULL-SHA  SSLv3 Kx=ECDH Au=None Enc=None  Mac=SHA1
> 
> 1) What arg to SSL_CTX_set_cipher_list() to I need to use to get these?
> I previously tried "kEECDH:kEDH" and that didn't work.

Use one of the names in the first column.
 
> 2) These ciphers all report as SSLv3.

That is the protocol version where they were first defined.


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Diffie-Hellman Questions

[Norm Green]

Thanks Rich.  More newbie questions.

Looking at the available ciphers I see this:

>./openssl ciphers -v 'ALL:aNULL' |grep ECDH |grep "Au=None"
AECDH-AES256-SHASSLv3 Kx=ECDH Au=None Enc=AES(256)  Mac=SHA1
AECDH-AES128-SHASSLv3 Kx=ECDH Au=None Enc=AES(128)  Mac=SHA1
AECDH-RC4-SHA   SSLv3 Kx=ECDH Au=None Enc=RC4(128)  Mac=SHA1
AECDH-DES-CBC3-SHA  SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
AECDH-NULL-SHA  SSLv3 Kx=ECDH Au=None Enc=None  Mac=SHA1

1) What arg to SSL_CTX_set_cipher_list() to I need to use to get these?  
I previously tried "kEECDH:kEDH" and that didn't work.


2) These ciphers all report as SSLv3.   Do I have to use SSLv3 
client/server methods to get access to these ciphers?  I was using TLS 
1.2 (TLSv1_2_server_method()) methods.


Norm Green


On 5/24/16 10:08, Salz, Rich wrote:

1) The wiki says don't use ADH, presumably because ADH provides
encryption but not authentication and is exposed to man in the middle
attacks. Is that the only reason?

Use ECDH, it's less expensive computationally.
  

2) Are the same encryption keys used every time with ADH?

Yes.  That's the other BIG reason :)  You really want ephemeral, and therefore 
ECDH


3) Is it possible to use ephemeral DH without using certificates?  I was not
able to get that to work.

Yes.  This is "null" auth.
  

4) What is the best practice for establishing an anonymous encrypted
channel using OpenSSL?

Postfix does this kind of thing, as does other SMTP software.  Look around for 
'opportunistic encryption' perhaps.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Diffie-Hellman Questions

[Salz, Rich]

> 1) The wiki says don't use ADH, presumably because ADH provides
> encryption but not authentication and is exposed to man in the middle
> attacks. Is that the only reason?

Use ECDH, it's less expensive computationally.
 
> 2) Are the same encryption keys used every time with ADH?

Yes.  That's the other BIG reason :)  You really want ephemeral, and therefore 
ECDH

> 3) Is it possible to use ephemeral DH without using certificates?  I was not
> able to get that to work.

Yes.  This is "null" auth.
 
> 4) What is the best practice for establishing an anonymous encrypted
> channel using OpenSSL?

Postfix does this kind of thing, as does other SMTP software.  Look around for 
'opportunistic encryption' perhaps.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Diffie-Hellman Questions

[Norm Green]

I need some clarifications on the DH implementation in OpenSSL. 
Currently I'm using version 1.0.2h


1) The wiki says don't use ADH, presumably because ADH provides 
encryption but not authentication and is exposed to man in the middle 
attacks. Is that the only reason?


2) Are the same encryption keys used every time with ADH?

3) Is it possible to use ephemeral DH without using certificates?  I was 
not able to get that to work.


4) What is the best practice for establishing an anonymous encrypted 
channel using OpenSSL?


Norm Green

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] I: Question on ccm mode in openssl

[Christian Adja]

 Il Martedì 24 Maggio 2016 17:21, Christian Adja  
ha scritto:
 

 Good morning, i'm a master student at telecom paristech, i France, i'm working 
on openssl to add ieee and etsi certs for client. I saw that the ccm mode is 
not implemented in current openssl 1.0.2g version. So i would know if there a 
way to add the ccm mode? Thanks.
Best regards


  -- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] make test failed on HPUX parisc

[Viktor Dukhovni]

On Tue, May 24, 2016 at 06:05:34PM +0900, Alexandre Klein wrote:

> 
> I'm using "hpux-parisc2-cc". I modified Configure to use +DAportable:
> "hpux-parisc2-cc","cc:+DAportable   +O3 ...
> "hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 ...

For meaningful help, post an unedited "diff" between the original
and your version.

The original Configure file has:

"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed -Ae +ESlit 
-DB_ENDIAN -DMD32_XARRAY -D_REENTRANT-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR 
RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:".eval{my 
$asm=$parisc20_asm;$asm=~s/2W\./2\./;$asm=~s/:64/:32/;$asm}.":dl:hpux-shared:+Z:-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_32",
"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed -Ae +ESlit 
-DB_ENDIAN -DMD32_XARRAY -D_REENTRANT-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR 
RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 
DES_INT:${parisc20_asm}:dlfcn:hpux-shared:+Z:+DD64 
-b:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):::/pa20_64",

> $ ./Configure hpux-parisc2-cc --prefix=path/to/folder no-shared no-zlib
> no-zlib-dynamic no-rc5 no-idea no-ec no-ecdh no-ecdsa no-asm no-mdc2 no-bf
> no-cast no-md2 no-rc4 no-jpake no-gmp

In particular you sure you want "no-asm" and "no-shared"?  Those
targets seem to be designed for shared builds with asm.

-- 
Viktor.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is a certificate supposed to certify a device ...

[debbie10t]

Hi Kim kim.

you would get more appropriate advise for OpenVPN from:
https://forums.openvpn.net/

Also see the OpenVPN HOWTO located there ..
The manual page can also be very helpful:
https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage

The openvpn users mailing list is also a great source of help.
Find the mailing lists at:
https://openvpn.net/index.php/open-source/documentation/miscellaneous/61-mailing-lists.html

With regard to your specific problem:
  If you have deleted your server side copies of the ca.key and ca.crt
  then all the associated server & client certificates/keys will be useless
  and can *never* be used by openvpn again.
  You would have to recreate a new PKI from scratch.

Regards
--




On 24/05/16 08:21, Kim kim wrote:

Hello,


I am a non English native and just a newbie, the opposite of an IT expert, and 
am totally stuck on this. If any of you can kindly give any advice on my stupid 
or basic questions I would indeed greatly, greatly appreciate your help:


Some while ago, for the first time in my life I (installed servers and) created 
certificates/keys, in order to use Openvpn on my stuffs. I successfully created 
those but then I felt I needed to figure out much more about other parts of 
server security, so I couldn't use those immediately but just leave those alone.


What I've done was,

- I wanted to use Openvpn on my work and all other stuffs (I'm not an expert; I 
just wanted to learn and do the basic things, if I can.).

- After reading some documents I understood/thought I should have "server" in 
order to use Openvpn. (Until then, I only have Microsoft Windows (not server) and virtual 
machine guest Windows (not server) on it.)

- So I installed some Linux "server(s)" as guest os(es), for the first time in 
my life.

  here what I actually did was: 1. installed A server, 2. following the 
instructions on the Openvpn website etc, completed the steps issuing cerficates 
(CA, server, client) using easy-rsa, 3. installed B server as another guest os, 
2. completed the issueing certificates (CA, server, client) steps.

- But I felt I should learn and configure the rest part of server security in 
order to actually start using the system(s), so I couldn't go further at that 
time; so I just quit going further and had to leave those alone, without doing 
anything on it.

- disconnected the internet connections from those guest OSes.


And then i've been worried about the certificates and keys that were properly 
issued at that time, I believe. I don't know what I have to be worried about 
actually and even if I really have to be worried about any things regarding it 
or not.

At that time I created the certificates mainly for the use of all my 
basic(?)/initial(?) system, so the CAs, servers, and clients cerfiticates were 
only created and as far as I remember I didn't send these to others or share 
with any.

But I'm worried as I hear server can be hacked very quickly after created...

Haven't deleted/couldn't delete those two servers because I don't know if it 
will be needed, if the certificates and keys need to be revoked


I wonder, do I have to revoke all the cerfiticates and keys, including CA 
itself? Do I revoke the CAs using the same CAs?

(And actually I had a window os, not server, too before installing those two servers, in 
which I also issued some certs and keys to use Openvpn (until then I didn't think about 
the need of "server" for using Openvpn), but then I just completely deleted the 
window device itself without making any revocation or whatsoever.. so currently I don't 
even have that system... Can I still even revoke those certificates and keys issued on 
the deleted device? how?...)


I now really need to proceed with my stuffs but I'm still stuck on it.

I don't know what should I do to delete any risk/danger remaining, if any. Or 
can I simply delete these two servers) without revoking(?) any or whatsoever, 
without anything to worry about?

Is a certificate supposed to certify a device (either CA, server or client)? So 
therefore don't I have to be even worried about the certs and keys if I no 
longer use the device itself (or if I delete the device itself)? What is the 
bottom line for compromised etc certificates/keys (maybe in security 
perspective or whatsoever...)?


I look forward to hearing from you.

Thank you very much for your time and your help indeed!

Best regards,
Kim




--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Looking for the Changelog in openssl-fips-2.0.12

[Steve Marquess]

On 05/24/2016 07:56 AM, Philip Bellino wrote:
> Hello,
> 
> I am looking for the Changelog that explains the changes between
> openssl-fips-2.0.9 and 2.0.12.
> 
>  
> 
> The README.FIPS that comes with 2.0.12 points here:
> https://www.openssl.org/docs/fips  but I cannot find the changes.
> 
>  
> 
> Any help would be most appreciated.

Look at the Security Policy document, "Modification History":

  http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2398.pdf

Since in general we aren't allowed to add new functionality or even to
fix security vulnerabilities for validated modules, the only reason to
use a newer module revision (2.0.12) instead of an older one (2.0.9) is
that the older one lacks support for your specific platform(s) of
interest; there is no advantage in updating already fielded modules like
you would for OpenSSL proper or other more conventionally maintained
software.

-Steve M.

-- 
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Looking for the Changelog in openssl-fips-2.0.12

[Philip Bellino]

Hello,
I am looking for the Changelog that explains the changes between 
openssl-fips-2.0.9 and 2.0.12.

The README.FIPS that comes with 2.0.12 points here: 
https://www.openssl.org/docs/fips  but I cannot find the changes.

Any help would be most appreciated.
Thanks,
Phil




[E-Banner]


MRV Communications is a global supplier of packet and optical solutions that 
power the world's largest networks. Our products combine innovative hardware 
with intelligent software to make networks smarter, faster and more efficient.



The contents of this message, together with any attachments, are intended only 
for the use of the person(s) to whom they are addressed and may contain 
confidential and/or privileged information. If you are not the intended 
recipient, immediately advise the sender, delete this message and any 
attachments and note that any distribution, or copying of this message, or any 
attachment, is prohibited.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Is a certificate supposed to certify a device ...

[Jakob Bohm]

A certificate certifies whatever it says it certifies,
nothing else.

More precisely, an X.509 certificate of the kind used with
OpenSSL, OpenVPN etc. certifies that:

  The secret private key that corresponds to the public
  key listed in the certificate is known only to something
  or someone for whom the combination of all the other
  things said in the certificate are true, and that
  whomever is listed in the certificate as the "Issuer"
  has verified that to be true.

So for example, if your OpenVPN certificate says that
"YourLinuxVM certifies that only YourLinuxVM has a copy of
the private key for some public key, and that this key is
intended for OpenVPN use between May 20th 2016 and May
20th 2017", that in itself is not much of a statement.  A
more important statement is the fact that you somehow
installed a copy of that certificate at the other end of
the VPN tunnel and told that end to trust that certificate
as something relevant to the OpenVPN use.

If you have reason to believe a private key may have been
stolen/copied to a dangerous place, you should "revoke"
the certificate that says knowledge of that private key
means anything, then generate a new key plus certificate
and install that.  Replacing keys like that is pretty
routine, just like changing passwords is routine, except
that with keys and certificates, you don't have to think
up a new password, because the computer does that for you.

As for the risk of instant compromise of a new machine as
it is being installed, there are two standard
countermeasures:

1. Don't allow the Internet to contact that machine until
  it has been completely installed with all the security
  updates provided by whichever Linux distribution
  (branded collection of prebuilt software, such as Red
  Hat, Fedora, Ubuntu, Debian etc.) you are using.  This
  should be done by not opening any real ports for that
  machine in your firewall/router except for whatever
  is needed by the install process itself.

2. Use a server operating system with a lot less security
  bugs than e.g. Windows Server 2003, depending on which
  Linux distribution and which version of that you used,
  you may already have done that.

On 24/05/2016 09:21, Kim kim wrote:


Hello,


I am a non English native and just a newbie, the opposite of an IT 
expert, and am totally stuck on this. If any of you can kindly give 
any advice on my stupid or basic questions I would indeed greatly, 
greatly appreciate your help:



Some while ago, for the first time in my life I (installed servers 
and) created certificates/keys, in order to use Openvpn on my stuffs. 
I successfully created those but then I felt I needed to figure out 
much more about other parts of server security, so I couldn't use 
those immediately but just leave those alone.



What I've done was,

- I wanted to use Openvpn on my work and all other stuffs (I'm not an 
expert; I just wanted to learn and do the basic things, if I can.).


- After reading some documents I understood/thought I should have 
"server" in order to use Openvpn. (Until then, I only have Microsoft 
Windows (not server) and virtual machine guest Windows (not server) on 
it.)


- So I installed some Linux "server(s)" as guest os(es), for the first 
time in my life.


 here what I actually did was: 1. installed A server, 2. following 
the instructions on the Openvpn website etc, completed the steps 
issuing cerficates (CA, server, client) using easy-rsa, 3. installed B 
server as another guest os, 2. completed the issueing certificates 
(CA, server, client) steps.


- But I felt I should learn and configure the rest part of server 
security in order to actually start using the system(s), so I couldn't 
go further at that time; so I just quit going further and had to leave 
those alone, without doing anything on it.


- disconnected the internet connections from those guest OSes.


And then i've been worried about the certificates and keys that were 
properly issued at that time, I believe. I don't know what I have to 
be worried about actually and even if I really have to be worried 
about any things regarding it or not.


At that time I created the certificates mainly for the use of all my 
basic(?)/initial(?) system, so the CAs, servers, and clients 
cerfiticates were only created and as far as I remember I didn't 
send these to others or share with any.


But I'm worried as I hear server can be hacked very quickly after 
created...


Haven't deleted/couldn't delete those two servers because I don't know 
if it will be needed, if the certificates and keys need to be revoked



I wonder, do I have to revoke all the cerfiticates and keys, including 
CA itself? Do I revoke the CAs using the same CAs?


(And actually I had a window os, not server, too before installing 
those two servers, in which I also issued some certs and keys to use 
Openvpn (until then I didn't think about the need of "server" for 
using Openvpn), but then I just completely deleted 

[openssl-users] make test failed on HPUX parisc

[Alexandre Klein]

Hi,

I would like to build openssl 1.0.2h on my HPUX but it failed when running
the tests (v3nametest).

My machine: HPUX PARISC B11.11
B9007AAB.11.11.20 HP C/aC++ Developer's Bundle


I'm using "hpux-parisc2-cc". I modified Configure to use +DAportable:
"hpux-parisc2-cc","cc:+DAportable   +O3 ...
"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 ...

$ ./Configure hpux-parisc2-cc --prefix=path/to/folder no-shared no-zlib
no-zlib-dynamic no-rc5 no-idea no-ec no-ecdh no-ecdsa no-asm no-mdc2 no-bf
no-cast no-md2 no-rc4 no-jpake no-gmp
$ make depend
$ make
$ make test

Then it is failing when running:
../util/shlib_wrap.sh ./v3nametest
set CN: host: [a] does not match [a]
set CN: host-no-wildcards: [a] does not match [a]
set CN: host: [b] does not match [b]
set CN: host-no-wildcards: [b] does not match [b]
...
set rfc822Name: email: [postmas...@example.com] does not match [
postmas...@example.com]
set rfc822Name: email: [postmas...@example.com] does not match [
postmas...@example.com]
set rfc822Name: email: [postmas...@example.com] does not match [
postmas...@example.com]
Makefile:347: recipe for target 'test_v3name' failed
make[1]: Leaving directory '/home/alex/workspace/openssl/temp/test'
Makefile:460: recipe for target 'tests' failed
make[1]: *** [test_v3name] Error 1
make: *** [tests] Error 2

As far as I remember, it was no problem when building 1.0.1f on this
machine.

Is there something that I am missing?

Please let me know if you would like to see the full log file (or some
parts).

Alex
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Is a certificate supposed to certify a device ...

[Kim kim]

Hello,


I am a non English native and just a newbie, the opposite of an IT expert, and 
am totally stuck on this. If any of you can kindly give any advice on my stupid 
or basic questions I would indeed greatly, greatly appreciate your help:


Some while ago, for the first time in my life I (installed servers and) created 
certificates/keys, in order to use Openvpn on my stuffs. I successfully created 
those but then I felt I needed to figure out much more about other parts of 
server security, so I couldn't use those immediately but just leave those alone.


What I've done was,

- I wanted to use Openvpn on my work and all other stuffs (I'm not an expert; I 
just wanted to learn and do the basic things, if I can.).

- After reading some documents I understood/thought I should have "server" in 
order to use Openvpn. (Until then, I only have Microsoft Windows (not server) 
and virtual machine guest Windows (not server) on it.)

- So I installed some Linux "server(s)" as guest os(es), for the first time in 
my life.

 here what I actually did was: 1. installed A server, 2. following the 
instructions on the Openvpn website etc, completed the steps issuing cerficates 
(CA, server, client) using easy-rsa, 3. installed B server as another guest os, 
2. completed the issueing certificates (CA, server, client) steps.

- But I felt I should learn and configure the rest part of server security in 
order to actually start using the system(s), so I couldn't go further at that 
time; so I just quit going further and had to leave those alone, without doing 
anything on it.

- disconnected the internet connections from those guest OSes.


And then i've been worried about the certificates and keys that were properly 
issued at that time, I believe. I don't know what I have to be worried about 
actually and even if I really have to be worried about any things regarding it 
or not.

At that time I created the certificates mainly for the use of all my 
basic(?)/initial(?) system, so the CAs, servers, and clients cerfiticates were 
only created and as far as I remember I didn't send these to others or share 
with any.

But I'm worried as I hear server can be hacked very quickly after created...

Haven't deleted/couldn't delete those two servers because I don't know if it 
will be needed, if the certificates and keys need to be revoked


I wonder, do I have to revoke all the cerfiticates and keys, including CA 
itself? Do I revoke the CAs using the same CAs?

(And actually I had a window os, not server, too before installing those two 
servers, in which I also issued some certs and keys to use Openvpn (until then 
I didn't think about the need of "server" for using Openvpn), but then I just 
completely deleted the window device itself without making any revocation or 
whatsoever.. so currently I don't even have that system... Can I still even 
revoke those certificates and keys issued on the deleted device? how?...)


I now really need to proceed with my stuffs but I'm still stuck on it.

I don't know what should I do to delete any risk/danger remaining, if any. Or 
can I simply delete these two servers) without revoking(?) any or whatsoever, 
without anything to worry about?

Is a certificate supposed to certify a device (either CA, server or client)? So 
therefore don't I have to be even worried about the certs and keys if I no 
longer use the device itself (or if I delete the device itself)? What is the 
bottom line for compromised etc certificates/keys (maybe in security 
perspective or whatsoever...)?


I look forward to hearing from you.

Thank you very much for your time and your help indeed!

Best regards,
Kim
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users