[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Revoking Certificate


  • Subject: Re: [Openvpn-users] Revoking Certificate
  • From: "James Yonan" <jim@xxxxxxxxx>
  • Date: Thu, 8 May 2003 05:41:11 -0000

OpenVPN doesn't support CRLs at this time, but there is another way to do it.
 OpenVPN allows a shell script to be called to confirm whether or not a given
certificate is to be allowed.

See --tls-verify and the verify-cn script for more info.

You can write your own script which checks the Common Name (CN) of the
incoming certificate and rejects it if it's one of the set of revoked CNs.

It would be nice if OpenVPN also supported traditional CRLs.  Does anyone have
a patch for this?

James

Felipe Sanchez <izto@xxxxxxxxxxxxxxxxx> said:

> 
> 
> On Wed, 30 Apr 2003, Malcolm Sole wrote:
> 
> > Hi
> >
> > I am using OpenVPN with a number of clients connecting to a central system
> > and it works very well. I am not sure of what the procedure would be to
> > revoke a client's certificate (if say the client box is stolen). I am using
> > the easy-rsa scripts to create self signed certificates.
> >
> > Can anyone point me in the right direction please?
> 
> 
> What you need is a Certificate Revocation List (CRL). You will have to add
> all the certificates you don't want to allow anymore, and then instruct
> openvpn to run openssl and verify the CRL when the client connects.
> 
> There was some talking about adding CRL support to OpenVPN a while ago, I
> have been doing some work in that area. Any help is welcome, of course  :)
> 
> 
> 
> -------------------------------------------------------
> Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
> The only event dedicated to issues related to Linux enterprise solutions
> www.enterpriselinuxforum.com
> 
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
> 



-- 





-------------------------------------------------------
Enterprise Linux Forum Conference & Expo, June 4-6, 2003, Santa Clara
The only event dedicated to issues related to Linux enterprise solutions
www.enterpriselinuxforum.com

_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users