Menu
▾
▴
Re: [Openvpn-users] --crl-verify and transitioning from an expiring CA cert
|
From: Josh C. <jos...@us...> - 2009-04-07 02:13:19
|
Jan Just Keijser wrote:
> Hi Josh, Karl,
>
> for this purpose openvpn 2.1 has the
> --capath
> option which lets you specify a directory containing all CA
> certificates and their corresponding CRLs. The CA certs in this
> directory should be listed using their hash values.
> This works very well with openssl 0.9.8 and above.
>
> So in your case you could add both CA certs to a 'capath' directory,
> install the corresponding CRLs in that directory as well and then use
> --capath <capath-dir>
>
> You should *not* need to specify a separate CRL file in this case.
>
> HTH,
>
> JJK
Thanks, this works well, although I had to hunt a bit to get the syntax
for the CRL filename. As a result, I've included the specific naming
convention used by OpenSSL below. The lack of documentation in the
OpenVPN manpage regarding this feature is rather a disadvantage,
mitigated somewhat with OpenSSL's function docs; I'll work on submitting
an OpenVPN patch for this so it's more apparent to those wanting this
functionality.
Also, the following warning is printed when using this option
WARNING: experimental option --capath
yet it seems this feature was added to OpenVPN in 2005; perhaps this
warning can go away at some point since OpenSSL appears to have had this
feature for a while now[1].
To allow the --capath directive to process all CAs and associated CRLs,
the CAs must be in the form '<hash>.#' where <hash> is the subject hash
value of the cert and # is an integer starting at 0 to allow for
multiple certs with the same hash to be used. The associated CRL, if
present, must be named '<hash>.r#' where both values are as described
earlier for the associated cert. Files in the --capath directory not
conforming to this standard are ignored. The OpenSSL tool c_rehash may
be useful to create appropriate links as well[1].
Hopefully this will save someone else the hassle of running strace to
see what files are being referenced or digging deep in the OpenSSL docs
for answers.
[1]
http://openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
--
Josh
|
