- Server setup
- ./easyrsa init-pki
- don't do this twice!
- ./easyrsa build-ca
- User key and cert signing request on complete separate machine
- ./easyrsa init-pki
- don't do this twice!
- ./easyrsa gen-req myuser
- Server signs user cert req
- ./easyrsa import-req myuser.req myuser
- ./easyrsa sign-req client myuser
Any client with a signed cert may connect to the server. There is no record of the client cert on the server itself; since the server signed the user cert, that is authority enough to validate the user cert.
Only if a user cert needs to be revoked, is a "revocation file" created on the server; this revocation file disallows that user from connecting. If no users need to be revoked, nothing needs to be done, nothing needs to exist about users on the server-side.
https://community.openvpn.net/openvpn/wiki/EasyRSA3-OpenVPN-Howto
No comments:
Post a Comment
Note: only a member of this blog may post a comment.