Reputation: 242
OpenVPN user certificates
I have problem with understanding of combination of OpenVPN with EasyRsa.
I have read this instructions
I am not understanding how client keys signing and revoking.
When I sign on CA server for user certificate and keys, openVPN server determines that user had signed his certificates and keys by same CA server and allows user to connect?
Similar to https with trusted certification server(example LetsEncrypt)
Right?
If i want to block user from access to openVPN, i need to revoke certificate on CA server.
But how openVPN server will understand that this user has no more rights to access openVPN?
Only with help of extra certificate revoke list?
That is generated with easyrsa gen-crl and synced/copied from CA server to openVPN server?
However if user certificate is expired, so openVPN server will simply not accept connection?
Am i right?
Upvotes: 0
Views: 1050
Answers (1)
Reputation: 140
To revoke certificates, you create a list of them and tell your OpenVPN server that when clients enter, they need to be verified using this list.
Using the "./revoke-full client_name" command, you add forbidden clients to the crl.pem file. Then, copy this file to the server configuration directory. In order for the server to check this file when clients enter, it needs to enter the line "crl-verify crl.pem" in the configuration file. Attention! If this string appears in the configuration file, but this file does not exist, the server will stop letting all clients!
Upvotes: 1
Related Questions
- Openvpn with username and password
- OpenVPN revoked certifcates can still connect
- openvpn3: session-start: how to pass username and password
- How do you generate a certificate and key for VPN authentication
- Automatize the cert creation OpenVPN
- How to create an SSL connection using an installed user certificate on android
- Openvpn password authentication
- Create openVPN Certificate with python
- OpenVPN Android
- How to extract client certificate info from OpenVPN?