Intermediary CAs
This recipe shows how to set up an intermediary CA and how to configure OpenVPN to make use of an intermediary CA. The OpenVPN easy-rsa scripts also include functionality to set up an intermediary CA. The advantage of an intermediary CA (or sub CA) is that the top-level CA (also known as the root CA) can be guarded more closely. The intermediary CAs can be distributed to the people responsible for generating the server and client certificates.
Getting ready
Set up the client and server certificates using the first recipe from Chapter 2. In this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 12 Linux and OpenVPN 2.1.1.
How to do it...
First, we create the intermediary CA certificate:
$ cd /etc/openvpn/cookbook/ $ . ./vars $ ./build-inter IntermediateCA
Verify that this certificate can indeed act as a Certificate Authority:
$ openssl x509 -text -noout -in keys/IntermediateCA.crt \ | grep -C 1 CA X509v3 Basic...
