On Sat, 26 Aug 2023 05:32:56 +0000 (UTC), Jason Long via Openvpn-users <openvpn-users@lists.sourceforge.net> wrote:
>On 25.08.23 21:41, Jason Long via Openvpn-users wrote: >> Hello,With the help of the following command, you can revoke a certificate: >> # ./revoke-full "Client_Name" >> Now if you change your mind, is it possible to use that certificate again? >> Is there a command to validate a revoked certificate? > >>Semantically, no, there is no such thing as "unrevoking" a certificate. > >>Technically, you can get a cert back out of a CRL or other listing, and >>hope that the world will forget it was ever listed there, or never >>noticed that in the first place, but it'd probably be less work to just >>have the CA issue a *new* cert instead. > >>*Revoked* certs do *not* count against the guideline of "there shouldn't >>be two certs by the same CA for the same DN with overlapping validity >>periods". > > >Hi Jochen, >Thank you so much for your reply. >I have two questions: > >1- How do you give keys to a large number of clients? Suppose there are >1000 employees in a company, do all employees have to go to the IT >department of that company to get the client keys? >If they need to "go" depends on your location geometry.... >But every single client allowed access through VPN must have his/her own cert >etc with unique CommonName, otherwise there is no way you can seletively >allow/disallow connection! >2- Is it possible to send a new key to clients automatically when client >key is revoked? > >Why would you? If you revoke a client then he is not supposed to connect so why >then send a new key? >There are problems with blocking client access via revocation: >1) You have to revoke the client's cert, which is a bit of a hassle. >2) You have to have a working update system on the server, which refreshes the >revocation list regularly (like at least weekly) even if there has been no >change to the list of revoked certs. >I tried to use revocation on our company VPN when a few employees left and it >seemed to work fine until a week later when it did not work anymore! >At that point the VPN stopped working for *everyone*, noone was allowed in at >all!!! >Luckliy I had a second VPN server to be used when maintenance was needed on the >main server so I could go in and disable the revocation checking system and >then >the legit people could again connect. >To lock out the users no longer allowed access I instead used the ccd system by >adding this to the top of each such user's connect script in the ccd dir(s): >#2023-02-25: This client is blocked from connecting >disable >This solves the problem and is persistent, but it requires the system to have >individual certs for each user (but who would not?). >To re-allow the client to connect is now as simple as removing the disable >command from the ccd file for the client. >This of course assumes you are not cheating the system by giving out *copies* >of >a single ovpn file thus with the same Common Name for everyone. >-- >Bo Berglund >Developer in Sweden Hi, Thank you so much for your reply. 1- Suppose you want to revoke the previous key for any reason. When the client certificate revoked or expired, then is it possible to send a new key to clients automatically? 2- When a key is generated, how many days is the default time for it to expire? 3- Are the following commands correct to expire the client key after 110 days?? # export EASYRSA_CERT_EXPIRE=110 # ./easyrsa gen-req My_Client nopass # ./easyrsa sign-req client My_Client _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
