How to protect public and private keys

Posted on 2008-10-30
Last Modified: 2012-05-05
Hi there,

I've recently set up open vpn.

On my windows box (the client) I have put a ca.crt and client1.crt and client1.key into the config directory. These keys were made on a totally seperate server (different from the openVPN server).

If someone got a hold of my ca.crt, what would stop them from creating their own client keys on a server of their own, and using them to connect to my vpn?

Question by:jonnytabpni
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3

Expert Comment

ID: 22848226
It is recommended to keep the Private Keys on a separate disk like USB Drives etc. But why you want to protect the Public Keys?

Author Comment

ID: 22848233
can't someone just create their own private keys themselves?

All I had to do was use easy-rsa and run ./build-key client1

Is ca.crt a public or private key?

Expert Comment

ID: 22848247
Even if someone creates a private key, they will not be able to decrypt. Creation of keys includes randomly generated data which is continuously refreshed. It will always be unique.
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.


Author Comment

ID: 22848256
I'm really sorry but my knowledge of PKI is very bad!

I understand that no one will be able to decrypt unless they use the correct private key.

But my question is that, if someone creates their own private key, will they be able to connect to the vpn and use my resources?

Accepted Solution

rpkhare earned 500 total points
ID: 22848291
I have no knowledge of VPN. But in case your VPN requires your Private Key for login then no other private key will work.

Author Comment

ID: 22848302
hmm that's the thing I'm not sure about. I generated all my certs and keys on a totaly seperate server.

The openVPN server didn't have an option to specify *which* private keys are allowed..

Expert Comment

ID: 22848318
Here you can find how it works:

Featured Post

Defend Your Organization from The Greatest Threats

Looking to fill the gaps in your security? Bring together information from the network, endpoint and threat intelligence feeds to really see what's happening in your organization. Join the WatchGuardians in their adventures fighting cyber crime!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to change the link of an image using md5 in php ? 3 65
Linux MD5 Hash 7 93
Remote laptop can't connect to mapped shared drive 14 76
Cisco AnyConnect VPN 4 37
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question