2026-02-10 08:46:58 +08:00 · 2016-08-27 16:51:09 +02:00
parent ca5dfc26ef
commit 32d1bafece
1 changed files with 6 additions and 5 deletions
							
							
								
							
							
						
@@ -885,8 +885,8 @@ and they will send you the server certificate.
Note that it is recommended to leave detailed personal information out of the
certificate as it is sent in clear during TLS authentication. The following
process generates a certificate and converts it to PKCS #12 that is protected
by a PIN and most clients are able to import (the cipher arcfour is used in
the example because although weak, it is supported by far more devices than
by a PIN and most clients are able to import (the 3DES cipher is used in
the example because it is supported by far more devices than
AES).
@example
							
							
							
								
							
						
@@ -894,7 +894,7 @@ $ certtool --generate-privkey --outfile user-key.pem
$ cat << _EOF_ >user.tmpl
cn = "user"
unit = "admins"
expiration_days = 9999
expiration_days = 365
signing_key
tls_www_client
_EOF_
							
							
							
								
							
						
@@ -910,10 +910,11 @@ $ certtool --to-p12 --load-privkey user-key.pem \
@end example
@subheading Revoking a client certificate
To revoke the previous client certificate use:
To revoke the previous client certificate, i.e., preventing the user from
accessing the VPN resources prior to its certificate expiration, use:
@example
$ cat << _EOF_ >crl.tmpl
crl_next_update = 9999
crl_next_update = 365
crl_number = 1
_EOF_
$ cat user-cert.pem >>revoked.pem