|
|
Great, I understand, thanks.
Regards, Lars.
From: Leonardo Rodrigues Magalhães <leolistas@xxxxxxxxxxxxxx>
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
CC: lars_bonnesen@xxxxxxxxxxx
Subject: Re: [Openvpn-users] Delete certificates
Date: Tue, 05 Jun 2007 14:32:36 -0300
MIME-Version: 1.0
Received: from correio.solutti.com.br ([200.193.195.4]) by
bay0-mc6-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue, 5
Jun 2007 10:32:45 -0700
Received: from localhost (correio.solutti.com.br [127.0.0.1])by
correio.solutti.com.br (Postfix) with ESMTP id AA9D58802EE;Tue, 5 Jun 2007
14:32:44 -0300 (GMT+3)
Received: from correio.solutti.com.br ([127.0.0.1])by localhost
(correio.solutti.com.br [127.0.0.1]) (amavisd-new, port 10024)with ESMTP id
FO1Rl-+dO-BJ; Tue, 5 Jun 2007 14:32:44 -0300 (GMT+3)
Received: from [172.16.0.50] (unknown [201.15.110.236])(Authenticated
sender: leonardo@xxxxxxxxxxxxxx)by correio.solutti.com.br (Postfix) with
ESMTP id 441448801A4;Tue, 5 Jun 2007 14:32:44 -0300 (GMT+3)
X-Message-Info:
LsUYwwHHNt3660MmjhEvYg2f34OAemlK+ZzoV09lDsZmbz8QigGIQtU5Yvr3lK0P
X-Virus-Scanned: amavisd-new at solutti.com.br
User-Agent: Thunderbird 1.5.0.12 (Windows/20070509)
References: <BAY116-F938711C709BAFC682239E8C200@xxxxxxx>
Return-Path: leolistas@xxxxxxxxxxxxxx
X-OriginalArrivalTime: 05 Jun 2007 17:32:46.0301 (UTC)
FILETIME=[87C3E0D0:01C7A797]
Lars Bonnesen escreveu:
Try modifying the revoke-full and revoke-cert script for doing that
!! I'm sure you'll need no more than 2-3 new lines and it's done.
The idea of revoking a certificate and it still continue valid for
some hours does bother me a lot. If i revoke a certificate, i want the
connection to be denied NOW ... and not in some hours, where the cron job
will run.
OK, once a day can be adequate for your system ... but im sure
modifying the revoke scripts will be extremely easy and you'll get
immediatly revokation working :)
Ok, you are right - why not place the file the right place in the first
go...
Another thing. How to reissue a certificate. For instance if you would
like to enable a password on a certificate or force a change on it? Is it
as simple as to run build-key-pass again, or do you have to revoke and
issue a new certificate (with a new common name)?
You ALWAYS have to revoke if you dont want the certificate to connect
anymore. After revoking, there's no 'unrevoking'. And after revoking, you
can build another certificate with the same common name (CN). Notice that
building a certificate with the same CN from a revoked certificate will NOT
allow that revoked one (with the same CN) to connect again. It's revoked,
that's the end. The new certificate with the old CN will be a new
certificate, despite the reused CN.
--
Atenciosamente / Sincerily,
Leonardo Rodrigues
Solutti Tecnologia
http://www.solutti.com.br
Minha armadilha de SPAM, NÃO mandem email
gertrudes@xxxxxxxxxxxxxx
My SPAMTRAP, do not email it
_________________________________________________________________
Opret en personlig blog og del dine billeder på MSN Spaces:
http://spaces.msn.com/
______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users
|