On Thu, 02 Apr 2015, Andrew Holway wrote:


And et voila! It works! Although it does feel a bit hacky :)

I do it the same way as I control my systems and can be sure there is
one user per system for VPN access. Works nicely.


Is it possible to manage key revocation? I understand that this mechanism
is mostly quite broken. How long are you making Certificates valid for?
Standard mechanism works fine -- 'ipa cert-revoke'. However, you need to
deliver CRL to OpenVPN server because OpenVPN only supports checking CRL
from a file system. Theoretically one could make a systemd socket unit
that would use 'nc' and curl to pick up CRL from a CA every time OpenVPN
asks for it (on each client connection) or provide a cached version of
it.

An easiest way is to make CRL retrieval periodical and populate whatever
directory or file crl-verify is pointed to.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to