Hi Sarah, Sarah Belghiti wrote: > Hi, > > I'm trying to test OpenVPN with several CRLs. > There are two Intermediate CA and a root CA. > The two intermediates CA have revoked two certificates. > So I have two CRLs. > I've tried stacking the two CRLs in one (cat CRL-1.list CRL-2.list > > CRL.pem ) and add the --crl-verify crl.pem but it does not work and > only one of the two revoked certifcates is unable to connect to the VPN. > > Then I saw this message : > http://readlist.com/lists/lists.sourceforge.net/openvpn-users/3/17643.html > wich seems to be the solution of my problem. > > Before testing it I wonder if adding --crl-verify is necessary ? > stacking CRLs currently does not work with OpenVPN. A minor code change would be needed for the Openssl backend. you would need CRLs only if you are actively revoking user certificates - otherwise not. If you really need mulitple CAs and multiple CRLs then use the --capath option.
HTH, JJK ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
