I have two vpn hosts, vpn1 being the primary, vpn2 being a hot failover machine for cases where vpn1 goes down, either planned or unplanned.
Right now, we manage client keys using the easy-rsa shell script package provided by openvpn, but the process put into place by my predecessor is to run the build key script on vpn1, and then run it again on vpn2 with the same answers, but only giving out the key/crt from vpn1 to the client.
This seems wrong to me, on two levels: One, I don't think that this will work at all; the key from the vpn1 is not likely to work to authenticate to vpn2 this way, and two, it's a lot of extra work.
I would prefer to synchronize key stores between the two machines. Is this possible? If so, what do I need to ensure is in sync between the two machines?
With my openvpn config, the question the server asks itself when a certificate is presented by an end-user is: is this certificate signed by the right CA?
If both servers have the same CA root certificate installed, then you don't need to synchronise the keystores because you don't need two keystores at all. You need one keystore, which need not be on either of the two openvpn boxes (and arguably shouldn't). From that keystore, you make the CA root available to both openvpn servers, and tell them where it is:
and you make the client certificates, signed with this CA, and the client's corresponding secret keys, available to the clients. You also make the server's certificate/keyfile pair, and put that on one or both of the servers (or generate one pair for each server, if you like; if the clients are set to verify the server, and have a copy of the CA certificate, either is fine). The server can verify the client certificates, because it has a copy of the CA certificate. The server doesn't need a view into the keystore, any more than the clients do.