On 30/04/2017 13:52, Jochen Bern wrote:
On 04/29/2017 09:55 PM, John Lewis got digested:
I am looking for a CA makefile to use with a openvpn tutorial I am
writing https://github.com/Oflameo/openvpn_ws. Is there one officially
endorsed by the openssl project?
Since you're specifically mentioning Open*VPN*, let me mention that
EasyRSA is a spin-off of that project. Not makefiles based, and working
with sub-CAs certainly isn't easy (though *possible* with version 3),
but if you want to see how the OpenVPN people think "their" CAs *should*
be run, that's what I'ld suggest to look at.
In a more general sense, the policies and technical limitations of CAs
vary too much for their operators to even agree on what color gold has,
I guess ...
(Not-quite-random example: Out of the box, OpenSSL dislikes CAs issuing
same-DN certs with overlapping validity periods. OpenVPN, again out of
the box, bases the mechanism of peer-specific configs on the CN. So if
you want to renew the cert of some device you're managing remotely
*through* the very VPN, you may(*) have an interest to *defeat* the
OpenSSL behavior, so as to issue the new cert before the old one expires
and saws off the branch you're adminning from.
(*) Of course, there *are* other techniques to work around the problem,
but.)
Not as much "defeat", as setting the relevant option by adding the
following command during CA (and SubCA) setup:
echo "unique_subject = no" > ${CADIR}/db/index.attr
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users