1
0
mirror of synced 2024-11-28 23:56:04 +03:00

Update docs

This commit is contained in:
hwdsl2 2021-06-01 02:31:14 -05:00
parent ea52ab4683
commit d6088751b9
2 changed files with 20 additions and 2 deletions

View File

@ -89,6 +89,7 @@ Options:
--addclient [client name] add a new client using default options (after IKEv2 setup)
--exportclient [client name] export configuration for an existing client (after IKEv2 setup)
--listclients list the names of existing clients (after IKEv2 setup)
--revokeclient Revoke a client certificate (after IKEv2 setup)
--removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database
-h, --help show this help message and exit
@ -422,7 +423,9 @@ sudo chmod 600 ikev2vpnca.cer vpnclient.cer vpnclient.key
### 吊销一个客户端证书
在某些情况下,你可能需要吊销一个之前生成的 VPN 客户端证书。这可以通过 `crlutil` 实现。下面举例说明,这些命令必须用 `root` 账户运行。
在某些情况下,你可能需要吊销一个之前生成的 VPN 客户端证书。要吊销证书,重新运行辅助脚本并选择适当的选项。
另外,你也可以手动吊销客户端证书。这可以通过 `crlutil` 实现。下面举例说明,这些命令必须用 `root` 账户运行。
1. 检查证书数据库,并且找到想要吊销的客户端证书的昵称。
@ -810,6 +813,12 @@ apt-get -y install "./libnss3_3.49.1-1ubuntu1.5_amd64.deb" \
vpnclient u,u,u
```
1. 删除证书吊销列表 (CRL),如果存在:
```bash
crlutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
```
1. 删除证书和密钥。将下面的 "Nickname" 替换为每个证书的昵称。为每个证书重复这些命令。在完成后,再次列出 IPsec 证书数据库中的证书,并确认列表为空。
```bash

View File

@ -89,6 +89,7 @@ Options:
--addclient [client name] add a new client using default options (after IKEv2 setup)
--exportclient [client name] export configuration for an existing client (after IKEv2 setup)
--listclients list the names of existing clients (after IKEv2 setup)
--revokeclient Revoke a client certificate (after IKEv2 setup)
--removeikev2 remove IKEv2 and delete all certificates and keys from the IPsec database
-h, --help show this help message and exit
@ -424,7 +425,9 @@ To delete a client certificate:
### Revoke a client certificate
In certain circumstances, you may need to revoke a previously generated VPN client certificate. This can be done using `crlutil`. See example steps below, commands must be run as `root`.
In certain circumstances, you may need to revoke a previously generated VPN client certificate. To revoke a certificate, run the helper script again and select the appropriate option.
Alternatively, you may manually revoke a client certificate. This can be done using `crlutil`. See example steps below, commands must be run as `root`.
1. Check the database, and identify the nickname of the client certificate you want to revoke.
@ -812,6 +815,12 @@ To manually remove IKEv2 from the VPN server, but keep the [IPsec/L2TP](clients.
vpnclient u,u,u
```
1. Delete the Certificate Revocation List (CRL), if any:
```bash
crlutil -D -d sql:/etc/ipsec.d -n "IKEv2 VPN CA" 2>/dev/null
```
1. Delete certificates and keys. Replace "Nickname" below with each certificate's nickname. Repeat these commands for each certificate. When finished, list certificates in the IPsec database again, and confirm that the list is empty.
```bash