Menu
▾
▴
Re: [Openvpn-users] --crl-verify and transitioning from an expiring CA cert
|
From: Karl O. P. <ko...@me...> - 2009-04-30 17:04:18
|
I've done more research and found: http://openvpn.net/archive/openvpn-devel/2005-05/msg00048.html It seems that --capath requires that openvpn be restarted to pick up any CRL changes. :-( This is not true if --ca is used with --crl-verify. It seems unlikely that this will change. The only solution that I see is to have OpenVPN re-implement a OpenSSL X509 store-like functionality and have a way to control the caching of CRLs separately from CAs -- or have OpenSSL implement such a change. Otherwise a OpenVPN process that has dropped it's privileges and is no longer able to read the CAs will have problems re-reading the CRLs. With --capath out of the running it seems that the way to transition to a new CA when the old one expires is to run a separate OpenVPN instance on another port. :-( At least that seems the way to do it when you're using CRLs. Anyone have a better idea? On 04/07/2009 09:01:37 AM, Jan Just Keijser wrote: > Try something like > > hash=`openssl x509 -hash -noout -in <ca1-file>` > cp <ca1-file> capath/$hash.0 > cp <crl1-file> capath/$hash.r0 > > hash=`openssl x509 -hash -noout -in <ca2-file>` > cp <ca2-file> capath/$hash.0 > cp <crl2-file> capath/$hash.r0 > > and then use > --capath .../capath > in your openvpn config . > > HTH, > > JJK > > > Karl O. Pinc wrote: >> >> On 04/06/2009 09:13:02 PM, Josh Cepek wrote: >> >>> Hopefully this will save someone else the hassle of running strace >>> to >>> see what files are being referenced or digging deep in the OpenSSL >>> docs >>> for answers. >> >> I have not found a good searchable archive for this list. >> Are there any recommendations? >> >> >> Karl <ko...@me...> >> Free Software: "You don't pay back, you pay forward." >> -- Robert A. Heinlein > > Karl <ko...@me...> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein |
