Hi Sarah, Sarah Belghiti wrote: > Ok thx a lot ! I wanted to be sure because i'm in internship and I > didn't want to disturb the admin system for nothing !! > > One last question : The option crl-verify is not necessary in this case ?? > nope, you cannot even use it in this case
JJK > > > 2013/7/2 Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@nikhef.nl>> > > Hi, > > > Sarah Belghiti wrote: > > Hi, > Thanks for your help. > I do need multiple CAs and multiple CRLs. > Using the --capath option means replace "ca ca.crt" by "capath > /path/to/a/directory" in the server conf file ?? > > yes you'd use > capath /full/path/to/dir > > and in that directory you'll need to create hashed versions of the > certificate and CRL's used; the .crt files should be renamed to > <hash>.0 and the .crl files to <has>.r0 > where <hash> is the output of > openssl x509 -hash -noout -in ca.crt > > HTH, > > JJK > > > > 2013/7/1 Jan Just Keijser <janj...@nikhef.nl > <mailto:janj...@nikhef.nl> <mailto:janj...@nikhef.nl > <mailto:janj...@nikhef.nl>>> > > > Hi Sarah, > > > Sarah Belghiti wrote: > > Hi, > > I'm trying to test OpenVPN with several CRLs. > There are two Intermediate CA and a root CA. > The two intermediates CA have revoked two certificates. > So I have two CRLs. > I've tried stacking the two CRLs in one (cat CRL-1.list > CRL-2.list > CRL.pem ) and add the --crl-verify > crl.pem but it > does not work and only one of the two revoked > certifcates is > unable to connect to the VPN. > > Then I saw this message : > > > http://readlist.com/lists/lists.sourceforge.net/openvpn-users/3/17643.html > wich seems to be the solution of my problem. > > Before testing it I wonder if adding --crl-verify is > necessary ? > > stacking CRLs currently does not work with OpenVPN. A > minor code > change would be needed for the Openssl backend. > you would need CRLs only if you are actively revoking user > certificates - otherwise not. > If you really need mulitple CAs and multiple CRLs then use the > --capath option. > > > > ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users