|
|
James Yonan wrote:
> Patrick Lodder wrote:
>
>> Isn't it so that the fact if a certificate is in "revoked" state
>> depends whether or not it's listed in a crl-file?
>> Then the matter of un-revoking is simple: just remove it't listing
>> from the crl-file or regenarate the crl-file without the to be
>> un-revoked certificate
>>
> There's really two ways to do this:
>
> (1) Accept all signed certificates EXCEPT what is listed in the CRL
> (the --crl-verify method).
>
> (2) Accept no signed certificate unless it is explicitly named in the
> --client-config-dir directory (the --ccd-exclusive method).
>
There's a third way
(sorry if this has already been mentioned - I just noticed this thread now)
Openssl stores the status of each cert in ${CATOP}/index.txt - a text
file. It generates the CRL on the basis of its contents
Just edit it - you will see the revoked cert starts with a "R". Replace
with a "V" and remove the third column entry (it's the date it was
revoked). Make sure you leave the correct number of tab-separates
columns in there, or you will corrupt your CA!!! Save and regenerate
your CRL - voila! No longer in the CRL
(sad to say - but I've done this rather a lot - it works well)
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users
Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-12/msg00090.html on line 218
Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-12/msg00090.html on line 218
|