Re: [Openvpn-users] OpenVPN with intermediate CA

Tue, 02 Jul 2013 10:02:08 -0700 

Hi Sarah,

Sarah Belghiti wrote:
> Ok thx a lot ! I wanted to be sure because i'm in internship and I 
> didn't want to disturb the admin system for nothing !!
>
> One last question : The option crl-verify is not necessary in this case ??
>
nope, you cannot even use it in this case


JJK

>
>
> 2013/7/2 Jan Just Keijser <janj...@nikhef.nl <mailto:janj...@nikhef.nl>>
>
>     Hi,
>
>
>     Sarah Belghiti wrote:
>
>         Hi,
>         Thanks for your help.
>         I do need multiple CAs and multiple CRLs.
>         Using the --capath option means replace "ca ca.crt" by "capath
>         /path/to/a/directory" in the server conf file ??
>
>     yes you'd use
>      capath /full/path/to/dir
>
>     and in that directory you'll need to create hashed versions of the
>     certificate and CRL's used; the .crt files should be renamed to
>     <hash>.0 and the .crl files to <has>.r0
>     where <hash> is the output of
>      openssl x509 -hash -noout -in ca.crt
>
>     HTH,
>
>     JJK
>
>
>
>         2013/7/1 Jan Just Keijser <janj...@nikhef.nl
>         <mailto:janj...@nikhef.nl> <mailto:janj...@nikhef.nl
>         <mailto:janj...@nikhef.nl>>>
>
>
>             Hi Sarah,
>
>
>             Sarah Belghiti wrote:
>
>                 Hi,
>
>                 I'm trying to test OpenVPN with several CRLs.
>                 There are two Intermediate CA and a root CA.
>                 The two intermediates CA have revoked two certificates.
>                 So I have two CRLs.
>                 I've tried stacking the two CRLs in one (cat CRL-1.list
>                 CRL-2.list > CRL.pem ) and add the --crl-verify
>         crl.pem but it
>                 does not work and only one of the two revoked
>         certifcates is
>                 unable to connect to the VPN.
>
>                 Then I saw this message :
>                
>         
> http://readlist.com/lists/lists.sourceforge.net/openvpn-users/3/17643.html
>                 wich seems to be the solution of my problem.
>
>                 Before testing it I wonder if adding --crl-verify is
>         necessary ?
>
>             stacking CRLs currently does not work with OpenVPN. A
>         minor code
>             change would be needed for the Openssl backend.
>             you would need CRLs only if you are actively revoking user
>             certificates - otherwise not.
>             If you really need mulitple CAs and multiple CRLs then use the
>             --capath option.
>
>
>
>


------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to