Hi,
In its openvn setup mnf uses the x509 certificates. You need to revoke
the undesired certificate and update the cetificate list for that:
- openssl -revoke newcert.pem
The database is updated and the certificate is marked as revoked. You
now need to generate the new revoked list of certificates:
the right script that generates x509 certificates in mnf has the
following line for generating the crls lis:
the mnf /usr/share/naat/scripts/gentestcrt.sh script contains
$openssl ca -config $freeswan_path/config_file_ca -gencrl -cert
$cacerts_dir/ca.crt -out $crls/crl.crt
2. we don't use "-nodes" in mnf for generating the certificates. And
one needs to generate the p12 certificates for windows and this
require a command line to be typed manually in a shell precisely
because one needs to provide a password. See the info on the mnf web
interface (the online help as well)
3. You can use your own certificates for MNF1 and 2 ... you do not
necessarily need to create them with the mnf openssl/engine.
my 2cts,
On Apr 4, 2005 12:05 PM, Dj <[EMAIL PROTECTED]> wrote:
> Hi,
> I would like to find out how to do two things.
>
> 1. Remove access from a certain client if, say, their laptop was stolen,
> etc, to prevent unauthorised access.
>
> The openvpn website only provides help for doing this in version 2.x
> (i.e. revoke of certs). Is there an easy way of doing it in 1.6? Is it
> just a matter of removing the entry for the client from VPN - CA - Other
> Keys.
>
> 2. Have a remote openvpn windows client request a password prior to
> accepting the connection. This is more secure if the remote device or
> files are stolen.
>
> The documentation suggests that you need to omit the --nodes option when
> creating a cert, and you will then be asked to specify a passphrase
> which will be requested each time openvpn is started. As MNF2 carries
> out the openssl command that creates the scripts, I don't have the
> option to omit the --nodes word. Should I manually create the certs
> instead, or will this confuse MNF2 if it didn't create them itself?
>
> Any quick pointers on suitable reading to figure out the above?
> Thanks.
> Dj.
--
Florin
____________________________________________________
Want to buy your Pack or Services from MandrakeSoft?
Go to http://www.mandrakestore.com
Join the Club : http://www.mandrakeclub.com
____________________________________________________
