|
|
----- Original Message ----- From: "Andrew Guenther" <andguent@xxxxxxxxx> > I finally figured this out on my own. Within the keys directory there > is an index.txt. When you revoke someone, a few small changes are made > to that file. When you generate a crl.pem, It blacklists everyone who > has been marked as revoked in that file. > > A normal key generation setup should not have the problems I was experiencing. > > root@myserver:/tmp/openvpn# diff index.txt index.txt.old > 9c9 > < R 160111131000Z 070777702520Z 09 unknown > /C=US/ST=PA/O=CustID/CN=Key_Name/emailAddress=admin@xxxxxxxxxxxxx > --- > > V 160111131000Z 09 unknown /C=US/ST=PA/O=CustID/CN=Key_Name/emailAddress=admin@xxxxxxxxxxxxx > > > To unrevoke a key, it appears you simply change the R back to a V and > delete the third piece of text there. Not tested. Yes, your assumption is correct. Be aware though that 'un-revoking' a cert after you have distributed a CRL to clients can cause problems, as anyone still using the old CRL will treat any un-revoked certs as bad until they pick up the latest CRL. As a rule, if you revoke a cert, you should generate a new one with the same CN, even if you find out the original one was not compromised. Cheers, Roland ______________________ OpenVPN mailing lists https://lists.sourceforge.net/lists/listinfo/openvpn-users |