I'm setting up an OpenVPN server for my organization, and I'm reading up on the different ways that the client side keys work. I'm still a little unfamiliar with all of the concepts behind these client keys and account auth.
- What are the real benefits of using the ./build-key-pass vs the ./build-key to generate the client keys? Is this just similar to password protecting an SSH key? Not all of our employees who require an account are tech savvy, so is it worth introducing another set-up step?
- I see now that there is an option to not require typical username / password authentication when using client keys. My plan was to do a useradd on the server for each client. If I don't use the user-pass auth settings then how would I revoke access to a specific client?
- How can I securely deliver these client certificates to all of our employees who need an account? I believe that the client.key files are supposed to be private, and emailing the files seems like it would be insecure.