On 19.08.23 10:02, Bo Berglund wrote: > On Sat, 19 Aug 2023 07:03:01 +0000 (UTC), Jason Long via Openvpn-users > <openvpn-users@lists.sourceforge.net> wrote: >> I have another questions: >> 1- I checked the "Subject" of the ca.crt file and my CN name is "Server". >> Now, >> I must change the "ccd" directory to "Server", but how about the file name >> under the "Server" directory? > > WHAT????? > > The ccd directory is defined in the server.conf file and could be named > whatever > you like. It has NOTHING whatever to do with the CommonName in any certificate > or such!
>To add to that, we're talking about the *CA* cert here (in spite of its >CN reading "Server") and the CA isn't going to connect to the VPN >server, so having a CCD¹ *whatever* to match its CN isn't going to do >anything ever. >¹ That *does* still stand for "(Per-)*Client* Configurations Directory", >right? :-3 >>> 2- Suppose you want to configure a server. Can you show me the names you >>> enter >>> for the commands below? >>> >>> # ./easyrsa build-ca nopass >>> ... >>> Common Name (eg: your user, host, or server name) [Easy-RSA CA]: "Your_Name" >Binect Exasperation CA - A >(When rotating CA certs, we "increment" the trailing letter.) >>> # ./easyrsa gen-req "Your_Name" nopass >>> # ./easyrsa sign-req server "Your_Name" >exavpn.binect.de >>> # ./easyrsa gen-req "Your_Name" nopass >>> # ./easyrsa sign-req client "Your_Name" >These create a *client* cert, which is unnecessary to "configure a >*server*", strictly speaking. >Since you seem to plan to have a boatload of CCD files, which need to be >named after the client certs' CN, I would probably revise my previous >suggestion of "Jason Long's private cell phone" and go with something >like "JasonLong_privCell" instead. >Not that it should be much news to you how *I* would name CA, server, >and client certs, respectively, if you had read my previous posts ... >Kind regards, >-- >Jochen Bern >Systemingenieur >Binect GmbH Hi Jochen, Excuse me, I'm confused. I asked: "If CN's name is Server, then I must change the ccd directory to Server? Am I right?" Answer: "If that's what the Subject CN of the cert you want to use as a client cert says, then yes, that's it. Of course, looking at a file "ca.crt" and seeing a CN "Server" for what is supposed to be the *client's* cert is botched twelve ways to Gehenna and back and will perpetually confuse anyone trying to debug your final setup..." Please clarify this for me. To use the --ccd-exclusive statement, I must create a directory under the /etc/openvpn directory: 1- Is the the name of that directory important or not? Its name must be "CCD" or the CN's name, or it could be anything? 2- After the directory, I must create a file under it. How about the name of that file? Is the the name of that file important or not? 3- For "Common Name (eg: your user, host, or server name) [Easy-RSA CA]:" question, I can enter my name or anything and the name that I entered could be used for the following commands, but not mandatory. Am I right? # ./easyrsa gen-req "Your_Name" nopass # ./easyrsa sign-req server "Your_Name" 4- The names that I must enter for the following commands, must be same. Right? # ./easyrsa gen-req "Your_Name" nopass # ./easyrsa sign-req server "Your_Name" _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users