|
|
On Mon, 07 Feb 2005 17:39:05 -0600, Aaron P. Martinez wrote: > if you have revoked say "openssl revoke usercert.pem" > > and then do indeed want to regrant access to this user, can you recreate > the user using the same name? Yes. (This creates a new key -- there's no way to reactivate their old one -- but it works). > ? other thing, i have pem files in my key out directory, as set up in > the vars script in easy-rsa, but they are just numbers. 01.pem 02.pem > so when i revoke someone, do i have to look through the pem files to > find the correct user, or can i use the name of their .crt or .key file? The [nn].pem files are part of OpenSSL's ca storage format. I generally consider it good practice to pretend that they're opaque. You can revoke using the .crt file under a different name. > if i do ./build-key-pass testuser, i get 0x.pem, testuser.crt > testuser.key and testuser.csr will "openssl revoke testuser.crt" work? Yes. BTW, I have a substantially extended version of easy-rsa which uses GNU Arch to provide a transactional filesystem for the backend, allowing it to revert to the last stored state whenever an openssl command fails and keep a full (GnuPG-signed) history of the CA's previous valid states (a history which excludes the CA's private key and so has lower security constraints than the CA itself) and the commands which led to those states. It also tries to eliminate any cases where a human operator would need to interact with the repository used to store the CA's state except via easy-rsa commands, and by separating out the bits of the repository intended for human access from the intended-opaque ones, it should eliminate some questions along the lines of the above. Right now it's quite heavily tailored for my own use, but I intend to generalize it at some point. The Arch-specific bits would be the simplest to provide independently, but they're much more useful with the surrounding scriptage... anyhow, more on this when it's ready. ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-02/msg00149.html on line 220 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-02/msg00149.html on line 220 |