[don_draper]

" On your CA's environment (hopefully elsewhere):

openssl x509 -CA cacert.pem -CAkey cakey.pem -CAcreateserial \ -days 730 -req -in vpn.csr -out vpn-cert.pem "

What does the author mean by 'hopefully elsewhere?' It's no longer a simple one server solution, no?

[borski]

Your CA doesn't have to be (read: shouldn't be) the same box. Also, it doesn't have to be (read: shouldn't be) connected to the internet. I recommend a USB key you keep around your neck or on your keychain, but it's really up to you.