|
|
An up-front warning: I've been in the office for over 20 hours now, so I can't promise much by way of lucidity. On Wed, 02 Mar 2005 15:47:07 +0100, Eugen Leitl wrote: > On Wed, Mar 02, 2005 at 12:24:13AM -0600, Charles Duffy wrote: > >> > Q2: What does everyone else do regarding their openvpn certificates? >> >> Me? I issue 10-year certificates, and have toolage and policies for >> tracking which certificates are valid/revoked/etc, getting certificates >> that need to be revoked, and getting the CRLs out to where they need to >> go. > > Do you have a homebrewed set of scripts, or do you maintain this on dead > tree alone? > > If you have a set of scripts, and can post a tarball, I'd really like to > see a copy. I have homebrewed scripts, but they're heavily customized for my company's deployment model. Even explaining the customizations would arguably constitute giving out proprietary information. One of the items on my TODO list is building a version of these better fit for 3rd-party use; I'll post it on-list when I get around to it. Essentially, though, I'm keeping an Arch repository with issued key/cert pairs (for the purposes of this VPN, the keys are centrally generated -- unlike the VPN we use for remote employees, where we go through the user-generated-CSR process; supporting that process is one of the extensions I want to write before releasing the code in question). The system does a commit after a successful operation (where an operation's granularity is on the scale of making a key or set of keys intended for an individual site), or a rollback after a failure (such that the repository is never in an inconsistent state). There's a file structure within this repository that describes the relationship between sites and keys, and systems (and whole sites) that have their certificates revoked are removed from the non-opaque part of the repository. (The OpenSSL-governed portion is intended to be treated by the user as opaque). There's also a tiny bit of cleanup to remove backup files and such that OpenSSL would track but the use of Arch makes moot. Arch is also used as a distribution mechanism to push changes out from the CA [a system which accepts no incoming net connections and thus must be operated via console] to be backed up or distributed to where they're needed (ie. support staff and the VPN servers). Hopefully that gives you something to go on. ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-03/msg00044.html on line 226 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-03/msg00044.html on line 226 |