On Wed, 3 Nov 2010, Ross Walker wrote: > As always it's better to use internally generated certificates that > are password protected then either passwords or certificates alone. > Having said that these password protected certificates are a PITA to > distribute to users and to support remotely. The biggest headache with OpenVPN is PKI. The OpenVPN source ships with some scripts for doing certificate authority work, but eventually the administrator has to figure out PKI for all but the very smallest of deployments. That said, OpenVPN deals very nicely with certificate revocations, making it easy to void a certificate if a key is lost, stolen, or a victim of the HR department. I agree that distributing password-protected keys is a pain. In a savvy environment, you can show people how to encrypt their own keys using the openssl binary (even on Windows), but that certainly doesn't work everywhere. On the upside, all the client OpenVPN GUIs I've used (Windows, Tunnelblick for Mac, NetworkManager) handle encrypted keys quite nicely these days, prompting for the passphrase at connection time. -- Paul Heinlein <> heinlein at madboa.com <> http://www.madboa.com/