>On Tuesday, January 9th, 2024 at 2:47 PM, Gert Doering <g...@greenie.muc.de> >wrote:
> Hi, > > On Tue, Jan 09, 2024 at 11:14:26AM +0000, Peter Davis wrote: > > > 1- So, by using --auth-user-pass I can prevent excessive access to the > > server. > > > That depends on your definition of "excessive" and "prevent", but it > gives you more control on who can login, and when. > > > 2- I want each department to have its own key, because if I want to revoke > > the key of one department, then there will be no problem for other > > departments. Is this a good idea? > > > What do you mean by "revoke the key of one department"? This question does > not make much sense, since there is no per-department key, if you do not > have per-department servers. > > OTOH, you could work with multi-level CAs (root CA signs department CA, > department CA maintains all user certs for that department) - so in that > case, you could indeed revoke the department key. But before you even > think about going there, read a good textbook on X509 certificates. > > gert > > -- > "If was one thing all people took for granted, was conviction that if you > feed honest figures into a computer, honest figures come out. Never doubted > it myself till I met a computer with a sense of humor." > Robert A. Heinlein, The Moon is a Harsh Mistress > > Gert Doering - Munich, Germany g...@greenie.muc.de Hi, In your company, you have 3 departments. One is the IT department, the other is the management department, and the last one is the supervision department. An employee in the supervision department shares a key with someone outside the company, and you want to block access to the server through that key. You must revoke the certificate of the supervision department. If each department has its own key, then this does not affect other departments. _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
