Re: [Openvpn-users] I have a question about Easy-RSA

Mon, 08 Jan 2024 23:14:08 -0800 

Hi,

On Tue, Jan 09, 2024 at 07:08:08AM +0000, Peter Davis wrote:
> Thanks again.
> I forgot to tell you that this is an internal server. I have other questions:
> 
> 1- Assuming my vars file is as follows:
> 
> export KEY_COUNTRY="US"
> export KEY_PROVINCE="CA"
> export KEY_CITY="NY"
> export KEY_ORG="GreatCoder"
> export KEY_EMAIL="ad...@greatcoder.xyz"
> export KEY_OU="OpenVPN"
> 
> I generated the server and client keys and then deleted the Easy-RSA 
> directory. After a few months I revoke the keys 

If you throw away the CA, there is no way to (cryptographically) revoke
anything.  "Revocation" needs a signature from the CA that something is
no longer seen as trusted.

> and create a vars file again with the above information. I generate server 
> and client keys again. Does this cause a problem?

If you recreate everything, you can do this whenever you want.  Normally
people do not "recreate everything" because it's lots of (avoidable) work.

> I guess deleting the Easy-RSA directory becomes a problem when my keys are 
> going to be used on the Internet!

This has nothing to do with "Internet" but with "will you need to add or
revoke keys later on, with the same CA, or not"

> 2- Isn't the expiration date of the keys 365 days by default?

No idea, but EasyRSA documentation should tell.

> 3- If the Easy-RSA directory should not be deleted, then should there be an 
> Easy-RSA directory for each server?

For each *PKI*.  Which is not the same thing as "server", especially since
"server" can mean a number of different things.

gert
-- 
"If was one thing all people took for granted, was conviction that if you 
 feed honest figures into a computer, honest figures come out. Never doubted 
 it myself till I met a computer with a sense of humor."
                             Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany                             g...@greenie.muc.de

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users























					Reply via email to