|
|
Florian Lamberty wrote: > Hello! > > I have a urgent problem. I revoked somebody´s cert, (the first one I > ever revoked) and after a few days, I noticed that this guy is *Still* > login on via vpn. Damn - removed his frickin files (key, crt, csr) > restarted openvpn - and the bugger is STILL able to connect! As you've observed, the server never needs a local copy of a user's key or certificate to authenticate that user. Instead, it validates the key and certificate *provided by the user* against its copy of the CA certificate. Remember how best practice is to keep your CA on a completely different machine from your OpenVPN server? This is why that works. The Right Thing is to revoke the user's certificate (for which you need to still have it -- so if you deleted it entirely, you've screwed yourself somewhat), generate a new CRL (certificate revocation list), and update the OpenVPN config file to use that CRL. If you can't do that because you've completely deleted your copy of the user's certificate, use a client-config-dir to either whitelist clients (using the ccd-exclusive directory and a file -- even an empty one -- for each allowed client) or blacklist them using the disable directive. There may be a way to revoke certificates without having a copy of them, but I'd need to look into how the "openssl ca" mechanism for tracking revoked certificates works. ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-07/msg00042.html on line 203 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2006-07/msg00042.html on line 203 |