On Thu, 27 Sep 2012, Jim Pingle wrote:
On 9/27/2012 5:06 PM, Paul Heinlein wrote:
My guess is that, in most deployments, only the *.crl-verify file
will need to change during day-to-day operations. Any other change
(certificate, basic configuration, etc.) would necessitate a
restart.
Again, if I'm missing something, I'd be more than happy to be set
straight!
Well I may have spoken a little too hastily, seems I did make a
function when I wrote the CRL code called openvpn_refresh_crls()
that rewrites just the CRLs if they change. Any time you press
'Save' on the CRL screen, or delete a cert from an active CRL, it
will rewrite those files.
So that does work as you describe if you are editing the same CRL
that's currently in use. I don't recall if that worked for imported
CRLs (I can't remember if you could paste in a new one or if it
didn't let you edit an imported CRL) I don't have an imported one
handy to test.
I'm running 2.0.1. As far as I can tell, there's no way to edit (or
paste over) an imported CRL. The process as I understand it is
1. Generate the CRL using the external CA.
2. System -> Cert Manager -> Certificate Revocation -> add a
new CRL.
3. VPN -> OpenVPN -> Server -> edit server, specifying the
new CRL and then saving the changes.
The last bit, saving the changes, writes out the entire set of OpenVPN
files (CA cert, key, certificate, TLS key, configuration, and CRL)
afresh and restarts the openvpn daemon.
I appreciate you taking the time to investigate the issue with me. I
just want to make sure I'm not overlooking something.
--
Paul Heinlein
[email protected]
45°38' N, 122°6' W
_______________________________________________
List mailing list
[email protected]
http://lists.pfsense.org/mailman/listinfo/list
