[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Delete certificates

  • Subject: Re: [Openvpn-users] Delete certificates
  • From: "Lars Bonnesen" <lars_bonnesen@xxxxxxxxxxx>
  • Date: Mon, 04 Jun 2007 23:58:40 +0200

Ok, I think I have actually misunderstood the revoke thing then. Correct me, if I am still wrong:

./revoke-full <certname>

a ctl.pem file is automatically created in /etc/openvpn/keys

in openvpn.conf, I add:

crl-verify <path>/crl.pem

Then when a revoked certificate connects, it is disallowed, right?

But... Doing so, I am not allowed to connect even with certificates not being revoked. I get a:

CRL: cannot read: ...... : Permission denied.

The file is there, tried to grant all access to the file, but no change...

OpenVPN runs on OpenBSD 4.1 as user nobody.

How to solve this?

Regards, Lars.

From: "Alon Bar-Lev" <alon.barlev@xxxxxxxxx>
To: "Lars Bonnesen" <lars_bonnesen@xxxxxxxxxxx>
CC: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
Subject: Re: [Openvpn-users] Delete certificates
Date: Mon, 4 Jun 2007 20:36:39 +0300
MIME-Version: 1.0
Received: from ug-out-1314.google.com ([]) by bay0-mc11-f4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Mon, 4 Jun 2007 10:36:40 -0700 Received: by ug-out-1314.google.com with SMTP id q2so796407uge for <lars_bonnesen@xxxxxxxxxxx>; Mon, 04 Jun 2007 10:36:39 -0700 (PDT) Received: by with SMTP id h12mr7027681bud.1180978599438; Mon, 04 Jun 2007 10:36:39 -0700 (PDT)
Received: by with HTTP; Mon, 4 Jun 2007 10:36:39 -0700 (PDT)
X-Message-Info: 5ZHoJh3ZkQ2beHhjtR/Lqw+jGgHyYqvlcOX901YQIttX/7kYcd+iVW3Tpx/DmeMS DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=JtCKvvFU5qtHn/WNVi5czKQoJqBHpjZWfT8ckuo9XBNrjPaowyzMVjtJpIasLgikuFy8De5IQta0Ab9R+DyiPVAtbxUzNYdpYCITsGLyeJ0EjO4VITxYiPiVS6EpoodKUPzcIgSlTNl5M6d1aeZl8sk2lc5mLstx4ZFfP7aJUt4= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=ZaBFmIS7lvFY01gGlBBC5C9FpnDUtWlGo4ia4LdSlAf3PxfzC3c9YVPPPNBm/+8zDdwrU+fTUXpswUSQz/6wcviH0I4CB7sec/YSKBUUVzUFSUvOZZrBu/HDUdMeDgjG6BcL0J2KALgUoz/AASW6QHvCJnPFUZX/D85KmXx2+Mo=
References: <BAY116-F1632ED521D4A577F2ECD648C210@xxxxxxx>
Return-Path: alon.barlev@xxxxxxxxx
X-OriginalArrivalTime: 04 Jun 2007 17:36:41.0121 (UTC) FILETIME=[E950D110:01C7A6CE]

You don't need to delete the certificate, this is the whole point.
Just make OpenVPN use the CRL, and create a script that regular copy
the CRL into the location OpenVPN watches.
This way, when a revoked certificate tries to authenticate, it will fail.

On 6/4/07, Lars Bonnesen <lars_bonnesen@xxxxxxxxxxx> wrote:
I create certificates for OpenVPN with ./build-key-pass, I revoke them with

... but how do I delete them - I mean if I want to disallow a certian
certificate. I can probably delete the file, but it will still be in the
list. What is the right approach?

Regards, Lars.

Vælg selv hvordan du vil kommunikere - skrift, tale, video eller billeder
med MSN Messenger:  http://messenger.msn.dk/  - her kan du det hele

This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
Openvpn-users mailing list

Vælg selv hvordan du vil kommunikere - skrift, tale, video eller billeder med MSN Messenger: http://messenger.msn.dk/ - her kan du det hele

OpenVPN mailing lists