>On Tuesday, January 9th, 2024 at 10:42 AM, Gert Doering <g...@greenie.muc.de> >wrote:
> Hi, > > On Tue, Jan 09, 2024 at 07:08:08AM +0000, Peter Davis wrote: > > > Thanks again. > > I forgot to tell you that this is an internal server. I have other > > questions: > > > > 1- Assuming my vars file is as follows: > > > > export KEY_COUNTRY="US" > > export KEY_PROVINCE="CA" > > export KEY_CITY="NY" > > export KEY_ORG="GreatCoder" > > export KEY_EMAIL="ad...@greatcoder.xyz" > > export KEY_OU="OpenVPN" > > > > I generated the server and client keys and then deleted the Easy-RSA > > directory. After a few months I revoke the keys > > > If you throw away the CA, there is no way to (cryptographically) revoke > anything. "Revocation" needs a signature from the CA that something is > no longer seen as trusted. > > > and create a vars file again with the above information. I generate server > > and client keys again. Does this cause a problem? > > > If you recreate everything, you can do this whenever you want. Normally > people do not "recreate everything" because it's lots of (avoidable) work. > > > I guess deleting the Easy-RSA directory becomes a problem when my keys are > > going to be used on the Internet! > > > This has nothing to do with "Internet" but with "will you need to add or > revoke keys later on, with the same CA, or not" > > > 2- Isn't the expiration date of the keys 365 days by default? > > > No idea, but EasyRSA documentation should tell. > > > 3- If the Easy-RSA directory should not be deleted, then should there be an > > Easy-RSA directory for each server? > > > For each PKI. Which is not the same thing as "server", especially since > "server" can mean a number of different things. > > gert > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de Hi, So if I want to revoke the keys in the future and prevent clients from connecting to the server, then I need the Easy-RSA directory that I used to generate the keys at that time. is it true? _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
