The use of CRLs
This recipe shows how to configure OpenVPN to use a Certificate Revocation List (CRL). It uses the CRL created in the previous recipe. This recipe is an extension of the recipe Routing: Masquerading in Chapter 2 in the sense that the server and client configuration files are almost identical.
Getting ready
Set up the client and server certificates using the first recipe from Chapter 2, Client-server IP-only Networks. Generate the CRL using the previous recipe. For this recipe, the server computer was running CentOS 5 Linux and OpenVPN 2.1.1. The client was running Fedora 12 Linux and OpenVPN 2.1.1. Keep the server configuration file basic-udp-server.conf from the Chapter 2's recipe Server-side routing at hand.
How to do it...
Copy the generated CRL to a more public directory:
[root@server]# cd /etc/openvpn/cookbook [root@server]# cp keys/crl.pem .
Modify the server config file
basic-udp-server.confby adding the lines:crl-verify /etc/openvpn/cookbook/crl.pemSave it as
example4...
