Could I delete .csr files once the key was signed by CA
The Certificate Signing Request (CSR) is of no use once you've obtained your certificate. It's merely one of the vehicles that can be used to give the CA your public key as part of the application process, so that they can issue a certificate.
You'll now be able to get the public key again from the certificate itself anyway.
In fact, in this particular format, you'll be able to get the public key from the .key file:
openssl rsa -in NewClient007.key -pubout
In fact, you'll also be able to re-generate the CSR using this:
openssl req -new -key NewClient007.key -out NewClient007.csr
(Note that you don't need the -days 3652 option when generating the CSR, since a CSR doesn't have not-before/not-after dates, unlike X.509 certificates. This is only useful if you want to generate a certificate during this step.)
I would, however, suggest using -newkey rsa:2048 or -newkey rsa:4096 instead of relying on the default key size, which is often 1024 bits.
Yes once the certificate is signed you no longer need the signing request.
Normally, you do things in that order:
- On your openvpn server, you create the key pair and the certificate request, with
openssl req. - You transport the certificate request (the ".csr" file) to the CA.
- The CA issues the certificate (in your case, with
openssl ca), producing the ".crt" file. - You transport the certificate back to the openvpn server.
The certificate request contains only the public key, not the private. It can travel without any protection against eavesdroppers, because it contains nothing confidential. You still have to make sure that what the CA obtains is indeed the request sent by the client, in case the transmission could be altered with.
Once the certificate has been issued, the certificate request can be deleted because it has no further use. But you can keep it as a guide for subsequent requests (e.g. the one you will do ten years from now); since there is nothing confidential in that request, there is no need to protect its archival. Similarly, while the CA needs not keep a copy of the certificate itself, it is considered good practice to do it anyway. Most CA software do that automatically (by using the OpenSSL command-line tool, you are choosing the "hard path").
It is best if the private key is generated on the openvpn server itself and never leaves that server, as explained above. Generating the key on the CA machine and then transporting it to the openvpn server raises some issues: how do you make sure that the key is not spied upon during that transfer ? How do you make sure that no copy of that key lingers on the CA hard disk ?