What's the use of challenge password in build-key-server and build-key from Easy-RSA?

  • All the OpenVPN/Easy-RSA tutorials that I've found, advise to setting an empty challenge password while building the key for the OpenVPN server.

    • Anybody knows why? What's the intended use for the challenge password in Easy-RSA server's keys?

    • And what about client's keys? I see that a build-key-pass exists to generate encrypted client keys, but no server equivalent exists. Still, both build-key and build-key-pass ask for a challenge password.

    Have you had a look into SCEP recently? Even the concept itself if not the code of jscep will make clear what the challenge password is used for.

  • "Challenge password" is an obscure and usually useless feature. -> Leave empty.

    If your CA allows this, then the Challenge Password will be required of anyone who tries to get the cert revoked. -- But from what I understand there are few (or none?) CAs that actually use this. (Please leave a comment if you know otherwise.) So leave it empty if you're unsure.

    What's the intended use of a "Challenge Password"?

    As far as I understand it the idea is this:
    If you have a rogue admin who has access to the cert and key then that admin could revoke the cert and DOS you.

    But if you have a CA that will challenge the rogue admin to supply the "Challenge Password", then the rogue admin may not have that password and then you're safe from that DOS.
    (The CP is NOT included in either cert or key. Only in the CSR. And you don't need the CSR for daily operations, so presumably operations personnel might not come into contact with the CSR file and therefore not know the Challenge Password.) (But bear in mind that you still have to worry about a rogue admin who has your cert/key. A lot. So from my understanding you gain exactly nothing from having a "challenge password" in the first place. -- Correct me if I'm wrong. I've got the feeling I'm missing some essential idea here. -- Maybe this is meant to allow revocation by somebody holding just the certificate and the password but NOT the private key.)

    Further reading

    The (too short) official definition is here: RFC 2985: PKCS #9: Selected Object Classes and Attribute Types Version 2.0, Section 5.4.1: Challenge password

    The question comes up regularly:

    Further source:

    There is no such thing as rogue admin. You may have a limited trust but you have trust nontheless. CSR challenge has plenty of use cases in very specific situations. If you dispose of CSR properly it can be treated as a secret (I know it is plaintext in the CSR, that is not the point). If you use a split secret scenario you may build an environment where revocation is only possible upon agreement of both user and issuer of the certificate. Issuer types in half of the password and the requester types in the half, then trusted 3rd party takes care of the CSR handling.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used