![]() Set a lot of logging on your server, to watch for anomalies. Require frequent renewals of the cert, so a copied certificate cannot be used for long.If protecting they key is cost-prohibitive, not supported on your client platforms or not possible for some other reason then you are left with a few options. Keys here can be marked so the are not exportable. I saw something on a mailist mentioning that it was possible to use the Windows certificate store for the key.I have seen mentions of using the TPM, this is similar to a hardware token, but built-in to the motherboard. ![]() (ref: OpenVPN offers support of smart cards via PKCS#11 based cryptographic tokens.) The private key can be stored on a physical token and cannot be copied or retrieved. One main method will be to make your the private portion of your key-pair prohibitively difficult to extract/copy. Some of these may require patches or the non-free version. I haven't tried most of these just seen them mentioned in the docs/blogs/maillists. There are many options, since OpenVPN is an open source project, and it has a ability to write your own-authentication hook there are many people who have done many different things to provide different levels of authentication.
0 Comments
Leave a Reply. |