Hi Joe, Bonno, Joe Patterson wrote: > Just as a note, I don't remember how openvpn considers it, but some > systems consider a certificate invalid if its issuer cert has expired, > even if the certificate itself has not. It may be that's not the case > for openvpn/openssl, but I remember getting bitten by that once some > years ago, and figure it's best to at least keep it in mind. Joe, you are absolutely right - I'd consider it a security flaw if OpenVPN did NOT refuse access to a client certificate for which the CA cert has expired. OpenSSL considers such a certificate to be 'no longer valid' and I'd be highly surprised if OpenVPN did not honour that. I know for a fact that an OpenSSL build of OpenVPN does honour it and I'd expect the same of a PolarSSL build (like the Android and iOS clients).
cheers, JJK > > > On Fri, Jan 31, 2014 at 9:02 AM, Bonno Bloksma <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > >> I want to find out when my CA expires, how do I do that. I > cannot see > >> any readable info by just looking at the ca.key or the ca.crt > Which command will let me see that info? > >> Which command will let me see when the client certs expire? > > > > openssl x509 -subject -dates -noout -in ca.crt > [..] > notBefore=May 16 06:04:32 2008 GMT > notAfter=May 14 06:04:32 2018 GMT > > Ok, I've got a few years left. ;-) > > > openssl x509 -subject -dates -noout -in client-cert.crt > > And these are even later of course. > > Thanks > > Bonno Bloksma > > > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply > import > a virtual appliance and go from zero to informed in seconds. > > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > > <http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk> > _______________________________________________ > Openvpn-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openvpn-users > > > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ > WatchGuard Dimension instantly turns raw network data into actionable > security intelligence. It gives you real-time visual feedback on key > security issues and trends. Skip the complicated setup - simply import > a virtual appliance and go from zero to informed in seconds. > http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk > ------------------------------------------------------------------------ > > _______________________________________________ > Openvpn-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openvpn-users > ------------------------------------------------------------------------------ WatchGuard Dimension instantly turns raw network data into actionable security intelligence. It gives you real-time visual feedback on key security issues and trends. Skip the complicated setup - simply import a virtual appliance and go from zero to informed in seconds. http://pubads.g.doubleclick.net/gampad/clk?id=123612991&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
