Hi, Sarah Belghiti wrote: > Hi, > Thanks for your help. > I do need multiple CAs and multiple CRLs. > Using the --capath option means replace "ca ca.crt" by "capath > /path/to/a/directory" in the server conf file ?? yes you'd use capath /full/path/to/dir
and in that directory you'll need to create hashed versions of the certificate and CRL's used; the .crt files should be renamed to <hash>.0 and the .crl files to <has>.r0 where <hash> is the output of openssl x509 -hash -noout -in ca.crt HTH, JJK > > > 2013/7/1 Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@nikhef.nl>> > > Hi Sarah, > > > Sarah Belghiti wrote: > > Hi, > > I'm trying to test OpenVPN with several CRLs. > There are two Intermediate CA and a root CA. > The two intermediates CA have revoked two certificates. > So I have two CRLs. > I've tried stacking the two CRLs in one (cat CRL-1.list > CRL-2.list > CRL.pem ) and add the --crl-verify crl.pem but it > does not work and only one of the two revoked certifcates is > unable to connect to the VPN. > > Then I saw this message : > > http://readlist.com/lists/lists.sourceforge.net/openvpn-users/3/17643.html > wich seems to be the solution of my problem. > > Before testing it I wonder if adding --crl-verify is necessary ? > > stacking CRLs currently does not work with OpenVPN. A minor code > change would be needed for the Openssl backend. > you would need CRLs only if you are actively revoking user > certificates - otherwise not. > If you really need mulitple CAs and multiple CRLs then use the > --capath option. > ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
