truglodite
Regular Contributor
I have been getting my cranial signals crossed learning the ins/outs of SSL, as it relates to openvpn vs merlin webui. I need a few questions answered to help straighten my course. ...this is just for my home, n66u 380.67, with only a handful of family only devices connecting.
Right now my openvpn server (on merlin) is working well after a basic gui setup, but I'm studying on upgrading to individual client PKI pairs with easyrsa. The https webui requires extra clicks to access with a red lock... annoying. I'm only accessing the webui from one lan machine, but it would be nice to greenify it, rather than (-half donkey-) http it.
Can I safely use a single PKI (same ca) to build files for both openvpn and webui (and pixelserv-tls), or should I setup a separate PKI for each server? (I'm always interested in the perform:secure reasoning.)
For ovpn, my understanding is I would paste my server keys/certs in the openvpn server gui (say, 'server1'), then setup/export/modify custom client configs that point to the key/crt files on the clients, correct? What happens with of the user/passwords listed in the gui?
For the webgui, I presume I use easyrsa\build-key-server again (cn = 'server2'), then copy/paste contents over the router's existing persistent webui pair (in /jffs/ssl). What about the client end... no export button? (lol j/k)... do I just have the os trust the root cert? Again, only 1 lan wired rig will ever need to access it.
I presume the same strategy for the webui would also work for a pixelserv-tls (I believe they're the same thing... both openssl+httpd servers). If so, my plan is to generate another server pair (cn=server3) for pixelserv-tls, using the same ca. That should just work as long as the client os's trusts the ca, correct?
Considering the 3 servers uses, is it still OK just having one ca? My kids devices will be 'accessing' pixelserv all the time, and one PKI means they'll be able access the router login page as well... my router PW is in itself fairly secure... just worried if the kiddo's install malware on their devices without my knowledge.
Thanks in advance,
Kevin
Right now my openvpn server (on merlin) is working well after a basic gui setup, but I'm studying on upgrading to individual client PKI pairs with easyrsa. The https webui requires extra clicks to access with a red lock... annoying. I'm only accessing the webui from one lan machine, but it would be nice to greenify it, rather than (-half donkey-) http it.
Can I safely use a single PKI (same ca) to build files for both openvpn and webui (and pixelserv-tls), or should I setup a separate PKI for each server? (I'm always interested in the perform:secure reasoning.)
For ovpn, my understanding is I would paste my server keys/certs in the openvpn server gui (say, 'server1'), then setup/export/modify custom client configs that point to the key/crt files on the clients, correct? What happens with of the user/passwords listed in the gui?
For the webgui, I presume I use easyrsa\build-key-server again (cn = 'server2'), then copy/paste contents over the router's existing persistent webui pair (in /jffs/ssl). What about the client end... no export button? (lol j/k)... do I just have the os trust the root cert? Again, only 1 lan wired rig will ever need to access it.
I presume the same strategy for the webui would also work for a pixelserv-tls (I believe they're the same thing... both openssl+httpd servers). If so, my plan is to generate another server pair (cn=server3) for pixelserv-tls, using the same ca. That should just work as long as the client os's trusts the ca, correct?
Considering the 3 servers uses, is it still OK just having one ca? My kids devices will be 'accessing' pixelserv all the time, and one PKI means they'll be able access the router login page as well... my router PW is in itself fairly secure... just worried if the kiddo's install malware on their devices without my knowledge.
Thanks in advance,
Kevin
Last edited:
