On 26.08.23 07:32, Jason Long wrote:
1- How do you give keys to a large number of clients? Suppose there are 1000 employees in a company, do all employees have to go to the IT department of that company to get the client keys?
Certificates are technical proof that the CA trusts the holder to have a set of properties - whether that's an e-mail address, a full (legal) name, being an employee, of a specific department / with a specific job title / legal capacity within the company, a paying customer, a resident of the city, yadda yadda. (In your case, it would either *happen* to imply "yes, he may use that VPN, too", or *be* simply "permission to use that VPN", whatever purpose the VPN serves.)
In order for the entity to receive a certificate, that entity has to do whatever it takes to make the CA have that trust in them. If you're handing out employee certificates in a large company where the only way to verify "yes, he's one of us" is to compare the photo on his badge with his face, then yes, he'll obviously have to show up in your office to do that. (And you should agree on a confidential transfer password so that the cert can later be sent by an insecure channel - unless you create it and *somehow* hand it to him on the spot.)
Ideally, there should be a written policy what the CA considers satisfactory procedures. Yes, that likely means that it's *your* job to at least define, if not write, it.
2- Is it possible to send a new key to clients automatically when client key is revoked?
Not with one OpenVPN connection alone (as revoking the key means that you do not trust that client anymore, and thus should hand over a new one to the (re-)verified holder by *different*, still-trusted means).
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
