|
|
OpenVPN doesn't support CRLs at this time, but there is another way to do it. OpenVPN allows a shell script to be called to confirm whether or not a given certificate is to be allowed. See --tls-verify and the verify-cn script for more info. You can write your own script which checks the Common Name (CN) of the incoming certificate and rejects it if it's one of the set of revoked CNs. It would be nice if OpenVPN also supported traditional CRLs. Does anyone have a patch for this? James Felipe Sanchez <izto@xxxxxxxxxxxxxxxxx> said: > > > On Wed, 30 Apr 2003, Malcolm Sole wrote: > > > Hi > > > > I am using OpenVPN with a number of clients connecting to a central system > > and it works very well. I am not sure of what the procedure would be to > > revoke a client's certificate (if say the client box is stolen). I am using > > the easy-rsa scripts to create self signed certificates. > > > > Can anyone point me in the right direction please? > > > What you need is a Certificate Revocation List (CRL). You will have to add > all the certificates you don't want to allow anymore, and then instruct > openvpn to run openssl and verify the CRL when the client connects. > > There was some talking about adding CRL support to OpenVPN a while ago, I > have been doing some work in that area. Any help is welcome, of course :) > > > > ------------------------------------------------------- > Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara > The only event dedicated to issues related to Linux enterprise solutions > www.enterpriselinuxforum.com > > _______________________________________________ > Openvpn-users mailing list > Openvpn-users@xxxxxxxxxxxxxxxxxxxxx > https://lists.sourceforge.net/lists/listinfo/openvpn-users > -- ------------------------------------------------------- Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara The only event dedicated to issues related to Linux enterprise solutions www.enterpriselinuxforum.com _______________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users |