On 19.08.23 15:04, Jason Long wrote:
I asked: "If CN's name is Server, then I must change the ccd directory to Server? Am I right?" Answer: "If that's what the Subject CN of the cert you want to use as a client cert says, then yes, that's it. Of course, looking at a file "ca.crt" and seeing a CN "Server" for what is supposed to be the *client's* cert is botched twelve ways to Gehenna and back and will perpetually confuse anyone trying to debug your final setup..."
(Note that in that reply, I failed to notice that you meant to change the name of the *directory*, rather than the name of files within it.)
Please clarify this for me. To use the --ccd-exclusive statement, I must create a directory under the /etc/openvpn directory: 1- Is the the name of that directory important or not?
The server config must explicitly point to it (and ownership/access rights/SELinux/... must allow the server process access to it).
Its name must be "CCD" or the CN's name, or it could be anything?
Other than the above, name and location can be chosen freely.
2- After the directory, I must create a file under it. How about the name of that file? Is the the name of that file important or not?
For the server to apply the configs in that file to a connecting client, the name of the file must match the (subject) CN of the cert the client uses to identify itself to the server.
3- For "Common Name (eg: your user, host, or server name) [Easy-RSA CA]:" question, I can enter my name or anything
I still suggest that a CA cert's CN should mention "CA", the authority (company?) running it, the purposes this CA issues certs for, and some identifier for the specific cert to better identify it across CA Cert rotation, but yes, "Jason was here" will work, too.
and the name that I entered could be used for the following commands, but not mandatory. Am I right?
It ***SHOULD NOT*** be reused in those. The above creates a CA cert. The following commands create a server cert and a client cert, respectively. Given how incomprehensible the concept of these three roles seems to be to you, failing to give the certs proper, unique, mnemonic names promises to lead to disaster.
4- The names that I must enter for the following commands, must be same. Right?
Yes, the "gen-req" and "sign-req" EasyRSA commands used to create one cert need to take the same, unique identifier for the cert-to-be.
("sign-req" actually locates the file containing the CSR generated by "gen-req" by the filename corresponding to that identifier, so failure to enter the correct ID into the latter will *usually* result in an error message, *except* when the ID has been used before and the old CSR is still around.)
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
