TR Forums

I'm trying to understand exactly how this works.

If you are only trusting certificates from a private CA that's only issuing certs for a specific vpn then I assume it doesn't make much difference what the certificate says (ie the CN), it's from the trusted CA so that's enough to authenticate the connection.

If you're using a public CA though anyone can get a cert from them so your VPN has to be checking something else in the cert (like the CN). How does this work if you're not using FQDNs when setting up the VPN? I think I read somewhere the IP can be put in the SAN field on the cert but I've gotten my self pretty confused and I'm really hoping someone tell me how this is generally dealt with.

Thanks

ha, well it turns out I was right to be confused. What happened was that I'd been given a VPN provisioning form that was missing sections for fqdns that would appear in the certs. There's no magic that I was missing out on, just an incomplete form

cheesyking wrote:

I'm trying to understand exactly how this works.

So is everybody else! The X509 system is pretty hideously complicated. I use OpenVPN, which is also SSL based but does not try to be a full-bore X509 implementation.

Good to know it's not just me then. I'd love to do openvpn instead but everything I do is mandated by the other end.

I really don't understand why you'd use a public CA for a connection between two parties like this. Seems like it just introduces a host of new potential security vulnerabilities that wouldn't be there otherwise, it's not like public CAs have a very good record on security anyway.