How to protect public and private keys

Hi there,

I've recently set up open vpn.

On my windows box (the client) I have put a ca.crt and client1.crt and client1.key into the config directory. These keys were made on a totally seperate server (different from the openVPN server).

If someone got a hold of my ca.crt, what would stop them from creating their own client keys on a server of their own, and using them to connect to my vpn?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

It is recommended to keep the Private Keys on a separate disk like USB Drives etc. But why you want to protect the Public Keys?
jonnytabpniAuthor Commented:
can't someone just create their own private keys themselves?

All I had to do was use easy-rsa and run ./build-key client1

Is ca.crt a public or private key?
Even if someone creates a private key, they will not be able to decrypt. Creation of keys includes randomly generated data which is continuously refreshed. It will always be unique.
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jonnytabpniAuthor Commented:
I'm really sorry but my knowledge of PKI is very bad!

I understand that no one will be able to decrypt unless they use the correct private key.

But my question is that, if someone creates their own private key, will they be able to connect to the vpn and use my resources?
I have no knowledge of VPN. But in case your VPN requires your Private Key for login then no other private key will work.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jonnytabpniAuthor Commented:
hmm that's the thing I'm not sure about. I generated all my certs and keys on a totaly seperate server.

The openVPN server didn't have an option to specify *which* private keys are allowed..
Here you can find how it works:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.