-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support for CRLs #15
support for CRLs #15
Conversation
The easy-rsa 3.x series (tracked on the -master branch) is a complete re-write and already includes support for CDP and easy expansion for any other common extensions (such as AIA and the like.) I'd encourage you to take a look at the features there and see if that meets your needs; 3.x is quite a bit more flexible in these regards. The doc/EasyRSA-Advanced documentation has a section on extension handling with CDP specifically in mind. I don't really think this belongs on the 2.x release & maintenance branch, at least not as it stands now. There are a number of problems I see with this currently:
All in all, I really encourage you to use the 3.x release instead of trying to get this support working for 2.x. The design in the new codebase is much more suited to this kind of thing, and what you want is probably as simple as uncommenting the existing example line within |
Hey Josh, My Changes are definitely not meant to be state of the art. My intention was to "discuss the lack of this feature" and ask you how one could implement this, i didn't know about the 3.x branch as i started hacking on it and i was not sure how to get in touch with you. kind regards. |
The CDP extension can be used by any application configured to process it (people can also manually use them to help verify revocation status.) A CDP is added by an issuer to the certs it signs that indicates where that issuing CA publishes the CRL for downstream consumption. If you have a chain that looks like ..
.. then CDP usage might look like:
If an application wants to know if the SubCA is valid, it processes the RootCA's CRL since that is its issuer. Likewise, to know if the Entity cert is valid, the SubCA's CRL is checked. If you have further questions about usage or operation, it might be a good idea to post to the openvpn-users list. That list has more viewership and questions asked there are search-engine-indexed. |
Hey Josh, |
#openvpn on freenode, or #openvpn-devel, for now. May need an easy-rsa channel at some point. Eric F Crist On Dec 19, 2013, at 13:42:20, seppovic notifications@github.com wrote:
|
Ok. Thanks eric |
Hey,
I was wondering how to include crlDistributionPoints in Certificates created with easy-rsa and still keep it as simple as possible with intermediate CAs in mind. I'm not sure if this is the right way to ask for help but i came up this idea. What do you think / How would you implement it?
I am new to github so i hope this is an appropriate way to get in touch.
Thx in advance
seppovic