From: "Jason Long via Openvpn-users" <openvpn-users@lists.sourceforge.net<mailto:openvpn-users@lists.sourceforge.net>> Date: Saturday, 26 August 2023 at 07:40:18 To: "openvpn-users@lists.sourceforge.net" <openvpn-users@lists.sourceforge.net<mailto:openvpn-users@lists.sourceforge.net>>, "Jochen Bern" <jochen.b...@binect.de<mailto:jochen.b...@binect.de>> Subject: Re: [Openvpn-users] Revoke a certificate and reuse it On 25.08.23 21:41, Jason Long via Openvpn-users wrote: > Hello,With the help of the following command, you can revoke a certificate: > # ./revoke-full "Client_Name" > Now if you change your mind, is it possible to use that certificate again? > Is there a command to validate a revoked certificate? >Semantically, no, there is no such thing as "unrevoking" a certificate. >Technically, you can get a cert back out of a CRL or other listing, and >hope that the world will forget it was ever listed there, or never >noticed that in the first place, but it'd probably be less work to just >have the CA issue a *new* cert instead. >*Revoked* certs do *not* count against the guideline of "there shouldn't >be two certs by the same CA for the same DN with overlapping validity >periods". >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hi Jochen, Thank you so much for your reply. I have two questions: 1- How do you give keys to a large number of clients? Suppose there are 1000 employees in a company, do all employees have to go to the IT department of that company to get the client keys? 2- Is it possible to send a new key to clients automatically when client key is revoked? Jason, a private key IS private. Every user should have its own private key. This could yield to over 100,000 keys for some organizations, or in case on national Eid’s, many millions. And, keys never get revoked. If you suspect that a private key has been compromised, the corresponding certificate gets revoked. UNrevoke is a no-go, and undermines the whole concept: if, on second thought, you find out it was a false rumour, you could issue a NEW certificate, based on the original key-pair. (But most will generate new keys & certificates) Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
