Thanks, Gert and JJK, and thanks again, Selva. Gert's original wish was to have the user replace expiring certificates without admin authorization (I expanded it enormously), so perhaps it should be limited it to do only that: allow users to change certain files that are referred to in an existing config file without an admin authorizing it. For example, only files in --askpass, --auth-user-pass, --cert, --key, and --pkcs12 options (maybe plus --ca, --dh, --extra-certs, and tls-auth). (Of course, this would be done by whitelisting.)
This doesn't help those who distribute configs with inline keys/certificates, but it's much easier and safer to replace files than to modify a configuration file. ------------------------------------------------------------------------------ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
