pieterlange/kube-openvpn

Improve client cert issuance

pieterlange opened this issue · 0 comments

pieterlange commented

Currently the openvpn operator holds all the keys, probably on a laptop somewhere. This is unnecessary and can be improved.

The problem is twofold:

  • Secure storage of keys (upstream discussion)
    • Password on the CA key by default
    • Document/refer to secure procedures for managing the CA
  • Provide workflow for signing client CSR's.
    • Signing
    • Generating the .ovpn combined file clientside (needs to include client key)