On 10-Apr-14 03:38, openvpn-users-requ...@lists.sourceforge.net wrote:
I told you, I don't use the easyrsa software. I don't know whether or not it is capable for specifying a certificate start date or handling a level 2 CA.Date: Thu, 10 Apr 2014 08:19:54 +0400 From: Dmitry Melekhov<d...@belkam.com> Subject: Re: [Openvpn-users] what to do in case of openvpn CA expiration? To:openvpn-users@lists.sourceforge.net Message-ID:<53461bea.1080...@belkam.com> Content-Type: text/plain; charset=UTF-8; format=flowed09.04.2014 17:55, Timothe Litt ?????:>>Yes, thank you, this is good theoretical explanation. >>All I need now are practical examples:-) >>I understand that can be like reading mans for me for far more >>expirienced...:-( Hope somebody already implemented this and can >>share...>That*was* practical;well, I asked for examples:-) , practical_examples_.
I gave you practical advice (for free - you got what you paid for). Perhaps someone who uses easyrsa will help you with the next level of detail.
In enterprise environments, the software that updates the LDAP directory for an employee (or contractor or affiliate) often handles creating, revoking and renewing the X509 certificates in a single transaction, with an integrated GUI. The subject's DN, OU, etc are automatically generated from the LDAP data -and in fact, the LDAP name components are often the same, though this depends on the LDAP schema. And yes, storing the certs in LDAP simplifies distribution, which is important when they are used for other purposes, like signed/encrypted e-mail and files. For encrypted e-mail, I must have your certificate in order to send you a message. Without LDAP, I'd have to ask you to send me a signed (but not encrypted) message first. Or use sneakernet.> >who use fancy commercial software that is integrated with other >systems. (LDAPmy openvpn setup is integrated with corporate ldap for authentication purposes, but I don't see any relations between ldap and certificates, even if one decided to store them in directory...
So in these environments, certificate management is not done with the 'getting started' tools - the openssl CLI 'CA', easyrsa, tiny ca or xca. The directory management tool often calls openssl [gnutls, polar ssl] (either directly via the C API, or the command line tools by a script) to do the actual certificate generation. Few people are wasteful - or knowledgeable enough to write their own crypto software.
Because it's simple. And free. Because it makes it easy to get started with openvpn. Because it's adequate for evaluating the VPN technology.> >easyrsa seems to be a very simple wrapper around openssl.yes, sure, but it is recommended in most openvpn howtos , even now:-)
It's not adequate, as you are discovering, for a large-scale deployment, or even a medium one in the long term.
If openvpn (or any other X509-based tool) recommended more substantial certificate management tools, many people would decide that it's too hard to use. The 'getting started' tools let people focus on the product (here openvpn) with minimal effort. Once you decide to use it, then you are expected to go to real tools for the certificate infrastructure.
The same thing happens with SSL webservers. And mail servers. And...
I don't know if ca roll-over is or is not supported. The underlying openssl tools certainly can do this. easyrsa may well have 'simplified' these out of the GUI - it's goal seems to be 'getting started', not long-term, scalable or highly secure support.>Since you'll document your experience, perhaps YOU can contribute >instructions for the next person ! >Thank you for pointing to right direction, but ,yes, looks like I have to walk this way myself, because , as I understand now, there is no ready to use recipe ,which, btw, looks strange for me, because this should be very usual task, so I assumed it is supported by easyrsa.. , sigh...:-)
I have not done more than a couple of minutes of research on easyrsa - and as I use other tools, I don't intend to.
As for being surprised that this isn't documented - lots of people read documentation. Few write it. Getting started is exciting, so people write about that. Keeping things going isn't as exciting. So people don't.
Since you have publicized this issue, I hope that you will join the writers.
Good thing is that I finally have an opportunity to learn something about openssl:-) Thank you!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
