|
|
Hi List, I have been testing the setup of OpenVPN 2.0 and easy-rsa version 2.0 for possible deployment in our network. I have come across an issue with revoking certificates. First off, it allows you to create multiple certificates with the same common name. This is pointed out in the documentation as useful for creating a certificate with the same common as a previously revoked certificate (lost passwords etc.). However, if you create 2 certificates with the same common name and issue the ./revoke-full command on the common name, it revokes the most recently created certificate. If you issue the revoke command again with the same common name, it says that the certificate is already revoked. When I tested connection to the server from a client PC, the revoked certificate is rejected as expected but the certificate created initially still works and you have no way of revoking it. Having a certificate out in the field that you cannot revoke is obviously very dangerous and will give you a big headache if you have to create a new CA an re-issue all your certificates. How have other people coped with this? Would the best plan be to write a wrapper for the revoke-full command to ensure that a common name cannot be created if a valid one already exists? I could do this by reading the contents of index.txt. Any thoughts? regards, Aidan ____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2008-02/msg00044.html on line 207 Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2008-02/msg00044.html on line 207 |