>On 26.08.23 07:32, Jason Long wrote: > 1- How do you give keys to a large number of clients? Suppose there are > 1000 employees in a company, do all employees have to go to the IT > department of that company to get the client keys?
>Certificates are technical proof that the CA trusts the holder to have a >set of properties - whether that's an e-mail address, a full (legal) >name, being an employee, of a specific department / with a specific job >title / legal capacity within the company, a paying customer, a resident >of the city, yadda yadda. (In your case, it would either *happen* to >imply "yes, he may use that VPN, too", or *be* simply "permission to use >that VPN", whatever purpose the VPN serves.) >In order for the entity to receive a certificate, that entity has to do >whatever it takes to make the CA have that trust in them. If you're >handing out employee certificates in a large company where the only way >to verify "yes, he's one of us" is to compare the photo on his badge >with his face, then yes, he'll obviously have to show up in your office >to do that. (And you should agree on a confidential transfer password so >that the cert can later be sent by an insecure channel - unless you >create it and *somehow* hand it to him on the spot.) >Ideally, there should be a written policy what the CA considers >satisfactory procedures. Yes, that likely means that it's *your* job to >at least define, if not write, it. > 2- Is it possible to send a new key to clients automatically when client > key is revoked? >Not with one OpenVPN connection alone (as revoking the key means that >you do not trust that client anymore, and thus should hand over a new >one to the (re-)verified holder by *different*, still-trusted means). >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hello, Thanks again. 1- When a key is generated, how many days is the default time for it to expire? 2- Are the following commands correct to expire the client key after 110 days?? # export EASYRSA_CERT_EXPIRE=110 # ./easyrsa gen-req My_Client nopass # ./easyrsa sign-req client My_Client _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
