What's the use of challenge password in build-key-server and build-key from Easy-RSA?

"Challenge password" is an obscure and usually useless feature. -> Leave empty.

If your CA allows this, then the Challenge Password will be required of anyone who tries to get the cert revoked. -- But from what I understand there are few (or none?) CAs that actually use this. (Please leave a comment if you know otherwise.) So leave it empty if you're unsure.

What's the intended use of a "Challenge Password"?

As far as I understand it the idea is this:
If you have a rogue admin who has access to the cert and key then that admin could revoke the cert and DOS you.

But if you have a CA that will challenge the rogue admin to supply the "Challenge Password", then the rogue admin may not have that password and then you're safe from that DOS.
(The CP is NOT included in either cert or key. Only in the CSR. And you don't need the CSR for daily operations, so presumably operations personnel might not come into contact with the CSR file and therefore not know the Challenge Password.) (But bear in mind that you still have to worry about a rogue admin who has your cert/key. A lot. So from my understanding you gain exactly nothing from having a "challenge password" in the first place. -- Correct me if I'm wrong. I've got the feeling I'm missing some essential idea here. -- Maybe this is meant to allow revocation by somebody holding just the certificate and the password but NOT the private key.)

What's the use of challenge password in build-key-server and build-key from Easy-RSA?

"Challenge password" is an obscure and usually useless feature. -> Leave empty.

What's the intended use of a "Challenge Password"?

Further reading

Tags:

Openssl

Openvpn

Related

Recent Posts