Hi,
On 08/01/2024 21:34, Hans via Openvpn-users wrote:
Hi all,
Before asking the obvious: yes, i did go through the man-page, and
doc/tls-crypt-v2.txt… J
Today I was experimenting with “crypt2”:
1) I can generate a tls-crypt2-server-key
2) And based on that key, I can generate several tls-crypt2-client-keys
So far so good, BUT:
1) how can I revoke a SINGLE client key (as this was suggested as a
‘new feature”)
2) how do i the verification? I presume with “tls-crypt-v2-verify cmd”
yes. It's inside this script that you can implement all kind of logic
that you need. There is no out of the box knob fr revoking just one
specific key.
The idea behind the "flexibility" is that you are allowed to store
(almost) anything inside the client-key metadata. This metadata is then
available to the verify script which can do anything about it.
For example the metadata may contain some unique ID of the fingerprint
of the client cert..or anything you may come up with (i.e. an expiry date).
This is why you couldn't find any "how" on the Internet. You need to
build the logic by yourself.
I hope this helps!
Cheers,
--
Antonio Quartulli
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
