Revoking a client certificate #874
-
|
Is there a way to revoke a client certificate to prevent a member of the mesh network from connecting? If not revocation of the certificate, is there another way to prevent an existing node from connecting to the network if it has been compromised? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Yes, you will want to add all of the fingerprints of the compromised host certificates to the pki.blocklist for every host on the network. I would also recommend setting pki.disconnect_invalid to true, so that hosts will disconnect from hosts that are suddenly blocklisted. (For instance if you update the blocklist in the config while nebula is running & send a SIGHUP to trigger a re-read of the config) |
Beta Was this translation helpful? Give feedback.
Yes, you will want to add all of the fingerprints of the compromised host certificates to the pki.blocklist for every host on the network. I would also recommend setting pki.disconnect_invalid to true, so that hosts will disconnect from hosts that are suddenly blocklisted. (For instance if you update the blocklist in the config while nebula is running & send a SIGHUP to trigger a re-read of the config)