Multiple CAs and CRLs

Easy-RSA 3.0 fairly easily supports multiple root CAs. By creating a separate CA directory under EASYRSA root, and having different vars files for each, each individual CA can be managed with Easy-RSA.

Currently, ssl-admin does not support multiple root CAs, but creation of intermediate CAs is supported.

With OpenVPN, a single server instance can support multiple root CAs, with client connections that have been signed by either CA being accepted. To enable such support, the CA certificate for each authorized CA needs to be concatenated together into a single file that can be called with the --ca OpenVPN option. The same can be done with the certificate revocation list.

Generally, it is not recommended to use multiple CA certificates ...

Get Mastering OpenVPN now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Mastering OpenVPN by Eric F Crist, Jan Just Keijser

Multiple CAs and CRLs

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly