On Sat, 26 Aug 2023 05:32:56 +0000 (UTC), Jason Long via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>On 25.08.23 21:41, Jason Long via Openvpn-users wrote: >> Hello,With the help of the following command, you can revoke a certificate: >> # ./revoke-full "Client_Name" >> Now if you change your mind, is it possible to use that certificate again? >> Is there a command to validate a revoked certificate? > >>Semantically, no, there is no such thing as "unrevoking" a certificate. > >>Technically, you can get a cert back out of a CRL or other listing, and >>hope that the world will forget it was ever listed there, or never >>noticed that in the first place, but it'd probably be less work to just >>have the CA issue a *new* cert instead. > >>*Revoked* certs do *not* count against the guideline of "there shouldn't >>be two certs by the same CA for the same DN with overlapping validity >>periods". > > >Hi Jochen, >Thank you so much for your reply. >I have two questions: > >1- How do you give keys to a large number of clients? Suppose there are >1000 employees in a company, do all employees have to go to the IT >department of that company to get the client keys? If they need to "go" depends on your location geometry.... But every single client allowed access through VPN must have his/her own cert etc with unique CommonName, otherwise there is no way you can seletively allow/disallow connection! >2- Is it possible to send a new key to clients automatically when client >key is revoked? > Why would you? If you revoke a client then he is not supposed to connect so why then send a new key? There are problems with blocking client access via revocation: 1) You have to revoke the client's cert, which is a bit of a hassle. 2) You have to have a working update system on the server, which refreshes the revocation list regularly (like at least weekly) even if there has been no change to the list of revoked certs. I tried to use revocation on our company VPN when a few employees left and it seemed to work fine until a week later when it did not work anymore! At that point the VPN stopped working for *everyone*, noone was allowed in at all!!! Luckliy I had a second VPN server to be used when maintenance was needed on the main server so I could go in and disable the revocation checking system and then the legit people could again connect. To lock out the users no longer allowed access I instead used the ccd system by adding this to the top of each such user's connect script in the ccd dir(s): #2023-02-25: This client is blocked from connecting disable This solves the problem and is persistent, but it requires the system to have individual certs for each user (but who would not?). To re-allow the client to connect is now as simple as removing the disable command from the ccd file for the client. This of course assumes you are not cheating the system by giving out *copies* of a single ovpn file thus with the same Common Name for everyone. -- Bo Berglund Developer in Sweden _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
