|
|
>This is probably a stupid question. Is it possible to revoke a client
>without actually having their certificate? I'm thinking that's
>impossible, or is there a way you can blacklist their common name?
>
>I removed some client certificates from a server because I thought they
>weren't needed, which they weren't for the clients to connect, but now I
>can't revoke them, as it says unable to load certificate.
>
>Seems rather obvious now, but I didn't notice anything about this in the
>FAQ/HOWTO. I'm suggesting that some notes about this be added to the
>FAQ/HOWTO, especially where it says that clientX.crt is only needed by
>client (the table of files near the top of the HOWTO for example says
>just this...).
I had problems with this, too. The docs say you don't need your *.crt
files for the server. Fortunately, some of the easy-rsa/keys/*.pem
files seem to be perfect copies of the *.crt files. You just need to
find the right one and copy it.
How to fix:
grep username easy-rsa/keys/*.pem
to find the certificate you need
cp ??.pem username.crt
to replace the certificate you're missing
Then you can run the revoke-full script in the usual fashion.
To whom it may concern:
This really should be in the docs under
http://openvpn.net/howto.html#revoke. It also might make sense to
provide this capability to revoke-full...
~jwhitlark
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|