On 08.01.24 07:19, Peter Davis wrote:
On Sunday, January 7th, 2024 at 10:52 PM, Jochen Bern <jochen.b...@binect.de> wrote:On 07.01.24 06:50, Peter Davis via Openvpn-users wrote:Now if I ignore the warning message above, what is the risk?Then you'll lose the content of those files that only the CA needs, and thus the ability to continue operating that (first) CA, in particular: -- You'll be unable to create a CRL, whether it is to actually revoke a cert or just to replace an expiring one. -- When the (first) server cert expires, you'll be unable to have a new one created by the same CA, thus requiring a config change on every client - wherever and in whosever hands it is - before it'll be able to connect to the VPN again.Hi, Thanks again. So: 1- What's the solution?
... is your work environment so diverse that every colleague has an ID card / a passport issued by a *different* nation? Trusted Third Parties - and that's *exactly* what a CA is - tend to be trusted to issue *several* proofs of identity.
2- What do I need to do to build new servers using Easy-RSA?
You need to do some steps *LESS* than your "set up EVERYTHING from scratch" how-to lists. (And as far as I can tell without running a test myself, the command that gives you the warning is *not* the only one you need to omit.)
3- What files do I need to copy from Easy-RSA so that I can safely delete the Easy-RSA directory?
Assuming that there is *some* obscure reason why you'd want to do that in the first place, may I suggest that you use subdirectories, rather than a "photocopy, then shred original" approach ...
Kind regards, -- Jochen Bern Systemingenieur Binect GmbH
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
