[Freeipa-users] Openvpn and Certificates
Alexander Bokovoy
abokovoy at redhat.com
Thu Apr 2 07:18:25 UTC 2015
On Thu, 02 Apr 2015, Andrew Holway wrote:
>>
>> And et voila! It works! Although it does feel a bit hacky :)
>>>
>> I do it the same way as I control my systems and can be sure there is
>> one user per system for VPN access. Works nicely.
>>
>
>Is it possible to manage key revocation? I understand that this mechanism
>is mostly quite broken. How long are you making Certificates valid for?
Standard mechanism works fine -- 'ipa cert-revoke'. However, you need to
deliver CRL to OpenVPN server because OpenVPN only supports checking CRL
from a file system. Theoretically one could make a systemd socket unit
that would use 'nc' and curl to pick up CRL from a CA every time OpenVPN
asks for it (on each client connection) or provide a cached version of
it.
An easiest way is to make CRL retrieval periodical and populate whatever
directory or file crl-verify is pointed to.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list