Re: [Openvpn-users] How to use ccd-exclusive statement?

Sat, 19 Aug 2023 05:27:14 -0700 

On 19.08.23 10:02, Bo Berglund wrote:

On Sat, 19 Aug 2023 07:03:01 +0000 (UTC), Jason Long via Openvpn-users
<openvpn-users@lists.sourceforge.net> wrote:

I have another questions:
1- I checked the "Subject" of the ca.crt file and my CN name is "Server". Now,
   I must change the "ccd" directory to "Server", but how about the file name
   under the "Server" directory?


WHAT?????

The ccd directory is defined in the server.conf file and could be named whatever
you like. It has NOTHING whatever to do with the CommonName in any certificate
or such!



To add to that, we're talking about the *CA* cert here (in spite of its 
CN reading "Server") and the CA isn't going to connect to the VPN 
server, so having a CCD¹ *whatever* to match its CN isn't going to do 
anything ever.



¹ That *does* still stand for "(Per-)*Client* Configurations Directory", 
right? :-3



2- Suppose you want to configure a server. Can you show me the names you enter

   for the commands below? 


# ./easyrsa build-ca nopass
...
Common Name (eg: your user, host, or server name) [Easy-RSA CA]: "Your_Name"


Binect Exasperation CA - A

(When rotating CA certs, we "increment" the trailing letter.)


# ./easyrsa gen-req "Your_Name" nopass 
# ./easyrsa sign-req server "Your_Name"


exavpn.binect.de


# ./easyrsa gen-req "Your_Name" nopass
# ./easyrsa sign-req client "Your_Name"



These create a *client* cert, which is unnecessary to "configure a 
*server*", strictly speaking.



Since you seem to plan to have a boatload of CCD files, which need to be 
named after the client certs' CN, I would probably revise my previous 
suggestion of "Jason Long's private cell phone" and go with something 
like "JasonLong_privCell" instead.



Not that it should be much news to you how *I* would name CA, server, 
and client certs, respectively, if you had read my previous posts ...


Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users























					Reply via email to