I'm planning to use OpenVpn france-wide with several clients/profiles/security policies, so I ask myself how openvpn manage multiples CRL and multiple CA/sub-Ca ....
I read the howto and I conclude that openvpn only check if a client and a server have a certificate signed by the same CA. And that the CRL must be issued by this CA too.
But if openvpn want to get company-wide audiance it will need a different approch.
Here's a typical company PKI tree:
CAroot / \ | | SubCA1 SubCA2 | | \ | | | client1 server2 client2
CAroot, SubCA1 and SubCA2 all have their own CRL
1) If SubCA2 is revoked by CAroot, does client2 refuse to connect to server2?
2) If client1 is revoked by SubCA1, does server2 refused to allow his connection?
I don't make the critique of openvpn, not at all. But it's just a reflexion of how we can enhance openvpn way to do it.
So, implement OSCP? check CDP(CRL distribution point) by http/ldap ?
Near from 2.0, can we just dream about openvpn 3.0 features ;-)
____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users