[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

RE: [Openvpn-users] ssl cert unrevoke?

  • Subject: RE: [Openvpn-users] ssl cert unrevoke?
  • From: "Kroll, Nathan" <krolln@xxxxxxxx>
  • Date: Mon, 5 Dec 2005 09:36:12 -0600
Thanks!  That sounds much better.  I'll take a look.

Have a great day,

Nate

-----Original Message-----
From: openvpn-users-admin@xxxxxxxxxxxxxxxxxxxxx
[mailto:openvpn-users-admin@xxxxxxxxxxxxxxxxxxxxx] On Behalf Of Scott
Merrill
Sent: Monday, December 05, 2005 9:14 AM
Cc: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] ssl cert unrevoke?

Kroll, Nathan wrote:
> I was wondering if anyone knows how to unrevoke an SSL certificate
using
> OpenSSL.  We want to be able to revoke and unrevoke at will, but
cannot
> find a way to unrevoke a certificate.  Any help is appreciated.  Is
> there any other way to limit which certs can be used with OpenVPN
> without revoking them?  I was a user to authenticate to some other
> source, then unrevoke their cert for 24 hours, then revoke it again.
> That way the certificates stored on machines are useless without
having
> the authorization access to have them made active.  

Revoking a certificate is supposed to be an irreversible action.  There
may be ways around it, but I wouldn't advise trying them for anything
other than an acedemic exercise.

You can use the ccd-exclusive configuration option to restrict which
certificates are permitted to connect.  Create a (possibly empty) config
file for each legitimate user; and be sure to name the file the same as
the CommonName field in that user's certificate.

Thenm rather than revoke their certificate, simply delete (or rename)
their CCD file.  The ccd-exclusive directive will prevent this user from
connecting.  If you later want to restore OpenVPN access for that
user/certificate, simply restore (or rename) their CCD file.

Cheers,
Scott

-- 
skippy@xxxxxxxxxx | http://skippy.net/

gpg --keyserver pgp.mit.edu --recv-keys 9CFA4B35
506C F8BB 17AE 8A05 0B49  3544 476A 7DEC 9CFA 4B35

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-12/msg00085.html on line 227

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-12/msg00085.html on line 227