Purpose of CA when running OpenVPN with User Auth only?

[pv2b]

Hello!

I have a scenario I'm working with where it is not feasible to do a PKI infrastructure for the purpose of VPN client authentication. Instead, we want to use Username/Password authentication through RADIUS.

In this scenario, I am not expecting a certificate authority to be neccessary to configure, since the authentication happens through:

1. A pre-shared key for TLS auth (to protect the initial exchange and provide some protection from casual password bruteforce attacks, because you cannot even try a password unless you have this PSK)
2. Username and passsword

In this scenario, I don't see the purpose of a certificate authority, yet it is forced for me to configure one for this scenario. Am I misunderstanding something about how this is supposed to work? Also, a "server certificate" is required, I'm not sure where this is used?

More generally, my concern is, I want to be aware of any "time bombs" in the system. For example, what if this (useless?) CA certificate expires.

[juere]

The purpose of a CA in your case is to avoid a MITM attack where *another* server pretends to be your VPN Gateway.
Your client is willingly supplying username and password and by doing so compromises your VPN account.

In other words:
Your OpenVPN client verifies the signature of the server cert to make sure it is talking to the *right* server.
To verify the signature it needs the issueing CA.

If you are concerned about CA expiration, you are free to give it any lifetime you want

[pv2b]

Thank you, that makes sense. I thought that this was the purpose of the pre-shared key, but now that you mention it, of course a symmetric key cannot be used for this purpose because all clients have access to this PSK and they could then impersonate the server.

But then what about the "Peer Certificate Authority"? Since we're not using client keys, the peers shouldn't be presenting any client certificates at all, or am I misunderstanding something?

[juere]

But then what about the "Peer Certificate Authority"? Since we're not using client keys, the peers shouldn't be presenting any client certificates at all, or am I misunderstanding something?

The "Peer Certificate Authority" in your setup is the one that has issued the server certificate.
It is not used by the server itself (as there are no client certificates) but included in the client config file when you export one using "VPN->OpenVPN->Client Export". Therefore it is selectable in server configuration.