[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] Delete certificates

  • Subject: Re: [Openvpn-users] Delete certificates
  • From: "Lars Bonnesen" <lars_bonnesen@xxxxxxxxxxx>
  • Date: Tue, 05 Jun 2007 21:24:51 +0200

Great, I understand, thanks.

Regards, Lars.

From: Leonardo Rodrigues Magalhães <leolistas@xxxxxxxxxxxxxx>
To: openvpn-users@xxxxxxxxxxxxxxxxxxxxx
CC: lars_bonnesen@xxxxxxxxxxx
Subject: Re: [Openvpn-users] Delete certificates
Date: Tue, 05 Jun 2007 14:32:36 -0300
MIME-Version: 1.0
Received: from correio.solutti.com.br ([]) by bay0-mc6-f1.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2668); Tue, 5 Jun 2007 10:32:45 -0700 Received: from localhost (correio.solutti.com.br [])by correio.solutti.com.br (Postfix) with ESMTP id AA9D58802EE;Tue, 5 Jun 2007 14:32:44 -0300 (GMT+3) Received: from correio.solutti.com.br ([])by localhost (correio.solutti.com.br []) (amavisd-new, port 10024)with ESMTP id FO1Rl-+dO-BJ; Tue, 5 Jun 2007 14:32:44 -0300 (GMT+3) Received: from [] (unknown [])(Authenticated sender: leonardo@xxxxxxxxxxxxxx)by correio.solutti.com.br (Postfix) with ESMTP id 441448801A4;Tue, 5 Jun 2007 14:32:44 -0300 (GMT+3) X-Message-Info: LsUYwwHHNt3660MmjhEvYg2f34OAemlK+ZzoV09lDsZmbz8QigGIQtU5Yvr3lK0P
X-Virus-Scanned: amavisd-new at solutti.com.br
User-Agent: Thunderbird (Windows/20070509)
References: <BAY116-F938711C709BAFC682239E8C200@xxxxxxx>
Return-Path: leolistas@xxxxxxxxxxxxxx
X-OriginalArrivalTime: 05 Jun 2007 17:32:46.0301 (UTC) FILETIME=[87C3E0D0:01C7A797]

Lars Bonnesen escreveu:

Try modifying the revoke-full and revoke-cert script for doing that !! I'm sure you'll need no more than 2-3 new lines and it's done.

The idea of revoking a certificate and it still continue valid for some hours does bother me a lot. If i revoke a certificate, i want the connection to be denied NOW ... and not in some hours, where the cron job will run.

OK, once a day can be adequate for your system ... but im sure modifying the revoke scripts will be extremely easy and you'll get immediatly revokation working :)

Ok, you are right - why not place the file the right place in the first go...

Another thing. How to reissue a certificate. For instance if you would like to enable a password on a certificate or force a change on it? Is it as simple as to run build-key-pass again, or do you have to revoke and issue a new certificate (with a new common name)?

You ALWAYS have to revoke if you dont want the certificate to connect anymore. After revoking, there's no 'unrevoking'. And after revoking, you can build another certificate with the same common name (CN). Notice that building a certificate with the same CN from a revoked certificate will NOT allow that revoked one (with the same CN) to connect again. It's revoked, that's the end. The new certificate with the old CN will be a new certificate, despite the reused CN.


	Atenciosamente / Sincerily,
	Leonardo Rodrigues
	Solutti Tecnologia

	Minha armadilha de SPAM, NÃO mandem email
	My SPAMTRAP, do not email it

Opret en personlig blog og del dine billeder på MSN Spaces: http://spaces.msn.com/

OpenVPN mailing lists