>On Sunday, February 4th, 2024 at 3:41 PM, Gert Doering <g...@greenie.muc.de> >wrote:
> Hi, > > On Sun, Feb 04, 2024 at 10:31:20AM +0000, Peter Davis via Openvpn-users wrote: > > > I want to revoke a user's key and I have a few questions: > > 1- If I revoke a key and create a new key with the same name as before, can > > the previous user connect to the server? > > > I don't know about "users". > > The person using the revoked key can no longer use that key as it is revoked. > > X.509 certs do not care about "what name is attached to this cert?", all > they care about "is this from a trusted CA, and is it not on the revocation > list (CRL)"? > > > 2- If I use the ./revoke-full "Client_Name" command to revoke a key, do I > > need to add a line to the server configuration file? For example, something > > like "crl-verify crl.pem". > > > Yes. The CRL is needed to tell the server "these certificates have been > revoked". > > Note that the CRL has a lifetime, so when the CRL is not refreshed every > now and then, it will expire, and all(!) access is disallowed - see the > easyrsa documentation on CRL lifetime and CRL refreshing. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de Hello, Thanks. 1- Suppose I have two clients with the same name (Peter). I have generated the keys for one and not for the other. Now I revoke Peter's keys and generate new keys again with Peter's name. Because new keys with the same name are generated, can the previous Peter connect to the server? 2- Is the following command enough to refresh the CRL lifetime? ./easyrsa gen-crl _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
