Easy-RSA 3.0 fairly easily supports multiple root CAs. By creating a separate CA directory under EASYRSA
root, and having different vars
files for each, each individual CA can be managed with Easy-RSA.
Currently, ssl-admin does not support multiple root CAs, but creation of intermediate CAs is supported.
With OpenVPN, a single server instance can support multiple root CAs, with client connections that have been signed by either CA being accepted. To enable such support, the CA certificate for each authorized CA needs to be concatenated together into a single file that can be called with the --ca
OpenVPN option. The same can be done with the certificate revocation list.
Generally, it is not recommended to use multiple CA certificates for a single OpenVPN instance; exceptions could be server, or certificate authority migration, company or organization acquisitions, and so on.
Under no circumstances would it be ideal to use a web browser root certificate authority for an OpenVPN...