Intermediary CAs
This recipe shows how to set up an intermediary CA and how to configure OpenVPN to make use of an intermediary CA. The OpenVPN easy-rsa
scripts also include functionality to set up an intermediary CA. The advantage of an intermediary CA (or sub CA) is that the top-level CA (also known as the root CA) can be guarded more closely. The intermediary CAs can be distributed to the people responsible for generating the server and client certificates.
Getting ready
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. This recipe was performed on a computer running CentOS 6 Linux but it can easily be run on Windows or Mac OS.
How to do it...
First, we create the intermediary CA certificate:
$ cd /etc/openvpn/cookbook/ $ . ./vars $ ./build-inter IntermediateCA
Verify that this certificate can indeed act as a Certificate Authority:
$ openssl x509 -text -noout -in keys/IntermediateCA.crt \ | grep...