[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] verifying ns cert type?


  • Subject: Re: [Openvpn-users] verifying ns cert type?
  • From: "Alon Bar-Lev" <alon.barlev@xxxxxxxxx>
  • Date: Tue, 5 Feb 2008 13:55:23 +0200

NS type is old none standard method.
Switch to verify based on EKU.

On 2/5/08, Jan Just Keijser <janjust@xxxxxxxxx> wrote:
> Hi Dave,
>
> no need to revoke the server key, as you're in control of the server.
> Simply generate a new server key and restart openvpn.
>
> cheers,
>
> JJK
>
> Dave wrote:
> > Hi,
> >    Thanks for your reply. I've confirmed that my key does not have the
> > ns cert type on it, it was made and setup by another. I'd like to
> > correct this, do i have to issue a .crl or just remake the key?
> > Thanks.
> > Dave.
> >
> > ----- Original Message ----- From: "Jan Just Keijser" <janjust@xxxxxxxxx>
> > To: "Dave" <dmehler26@xxxxxxxxxx>
> > Cc: <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
> > Sent: Tuesday, February 05, 2008 5:34 AM
> > Subject: Re: [Openvpn-users] verifying ns cert type?
> >
> >
> >> do a
> >>  openssl x509 -text -noout -in <your-server-cert>
> >> and look at the X509v3 extensions section; for a 'Netscape Server' I get
> >>
> >>        X509v3 extensions:
> >>            X509v3 Basic Constraints:
> >>            CA:FALSE
> >>            Netscape Cert Type:
> >>            SSL Server
> >>            Netscape Comment:
> >>            OpenSSL Generated Server Certificate
> >>            X509v3 Subject Key Identifier:
> >>            ...
> >>            X509v3 Authority Key Identifier:
> >>            ...
> >>            X509v3 Extended Key Usage:
> >>            TLS Web Server Authentication
> >>            X509v3 Key Usage:
> >>            Digital Signature, Key Encipherment
> >>
> >> HTH,
> >>
> >> JJK
> >>
> >> Dave wrote:
> >>> Hello,
> >>>     I've got an openvpn server that i have to manage. One thing i
> >>> want to do is set all clients to verify the server certificate. I do
> >>> not know if the server's certificate was generated with it's ns cert
> >>> type set to server, i've now set the openssl config file to generate
> >>> all future keys set to server. I'd rather not regenerate and
> >>> redistribute this key unless i have to, is there a way i can check
> >>> the existing server keys to see what their ns cert value is?
> >>>
>______________________
OpenVPN mailing lists
https://lists.sourceforge.net/lists/listinfo/openvpn-users