jenkins-infra
diff --git a/‎.sops.yaml‎
Lines changed: 2 additions & 0 deletions b/‎.sops.yaml‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 35 additions & 5 deletions b/‎README.md‎
Lines changed: 35 additions & 5 deletions
diff --git a/‎cert/pki/certs_by_serial/F5A67EC4995DE4FB4B0511BBF7152BC5.pem‎
Lines changed: 129 additions & 0 deletions b/‎cert/pki/certs_by_serial/F5A67EC4995DE4FB4B0511BBF7152BC5.pem‎
Lines changed: 129 additions & 0 deletions
diff --git a/‎cert/pki/crl.pem‎
Lines changed: 21 additions & 20 deletions b/‎cert/pki/crl.pem‎
Lines changed: 21 additions & 20 deletions
diff --git a/‎cert/pki/extensions.temp‎
Lines changed: 16 additions & 0 deletions b/‎cert/pki/extensions.temp‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎cert/pki/index.txt‎
Lines changed: 2 additions & 1 deletion b/‎cert/pki/index.txt‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎cert/pki/index.txt.attr.old‎
Lines changed: 1 addition & 0 deletions b/‎cert/pki/index.txt.attr.old‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎cert/pki/index.txt.old‎
Lines changed: 30 additions & 0 deletions b/‎cert/pki/index.txt.old‎
Lines changed: 30 additions & 0 deletions
@@ -12,3 +12,5 @@ creation_rules:
         - 'E104B7543ECCCC68EA1EB35DD9B2DBFB59AD8344'  # Markewaite
         - '29B84443F41DE582F71599AFB47082DEE225AE06'  # Damien Duportal
         - '81B0C54A1BA2C92EAD985025A2B9560AF24FF1AD'  # hlemeur
+        - '6CD774F428CA355770C67851496D2EDEDEFA7D47'  # smerle
+        - '88FABF5F307FB5870B6AD2E8A266F2D3F9D60C45'  # Halkeye
@@ -75,6 +75,7 @@ Example here for [Tunnelblick](https://tunnelblick.net/), an OSX VPN client, ope
   script-security 2
   persist-key
   persist-tun
+  remote-cert-tls server
   user nobody
   group nobody
   ```
@@ -140,16 +141,22 @@ To enable a different DNS provider only when connected to the VPN you can add th
 
 ### HowTo become an administrator
 
-To add/revoke certificates, you must be allowed to decrypt `./cert/pki/private/ca.key.enc`.
-This file is encrypted with [sops](https://github.com/mozilla/sops) and your public gpg key must be added to `./.sops.yaml` by an existing administrator.
+To add/revoke certificates, you must be allowed to decrypt sensitive files such as `./cert/pki/private/ca.key.enc`.
 
-This repository relies on [easy-rsa](https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md).
+These files are encrypted with [sops](https://github.com/mozilla/sops), your public gpg key must be added to `./.sops.yaml` by an existing administrator to decrypt them.
+
+This repository relies on [easy-rsa](https://github.com/OpenVPN/easy-rsa/blob/master/README.quickstart.md), used under the hood by a custom Golang CLI wrapper named `easyvpn`.
+
+### HowTo Decrypt the Certificate Authority Key
+
+* Ensure that you are an administrator (Check the section [HowTo become an administrator](#howto-become-an-administrator))
+* Execute the command `make -C cert decrypt` from the root of the repository to decrypt the ca.key to `./cert/pki/private/ca.key` (which is a **secret** that **must remain git-ignored**)
 
 ### HowTo show certificate information
 
 * Install [sops](https://github.com/mozilla/sops)
 * Enter in the VPN network directory: `cd ~/.cert`
-* Run `make decrypt`
+* Decrypt the required files as described in [HowTo Decrypt the Certificate Authority Key](#howto-decrypt-the-certificate-authority-key)
 * Run `make show-cert name=<your-jenkins-username>`
 
 #### HowTo approve client access?
@@ -189,11 +196,34 @@ We can run `openssl crl -in ./cert/pki/crl.pem -noout -text` to validate that th
 
 To generate a new CRL:
 
-* Decrypt ca.key `sops -d ./cert/pki/private/ca.key.enc > ./cert/pki/private/ca.key`
+* Decrypt the required files as described in [HowTo Decrypt the Certificate Authority Key](#howto-decrypt-the-certificate-authority-key)
 * Generate a new crl.pem - `cd cert ; ./easyrsa gen-crl ; cd ..`
 * Publish the new crl.pem - `git add ./cert/pki/crl.pem && git commit ./cert/pki/crl.pem -s -m 'Renew revocation list certificate'`
 * Delete local ca.key - `rm ./cert/pki/private/ca.key`
 
+### How to Renew Server-side Certificate?
+
+* Build EASYVPN binary by running one of the following commands depending on your operating system:
+  * `make init_osx`
+  * `make init_linux`
+  * `make init_windows` and copy `./utils/easyvpn/easyvpn.exe` at the root of this repository
+* Decrypt the required files as described in [HowTo Decrypt the Certificate Authority Key](#howto-decrypt-the-certificate-authority-key)
+* Revoke actual certificate (even if it is already expired): `./easyvpn revoke vpn.jenkins.io`
+* Generate a new certificate + key, with the server DNS as argument: `./easyvpn request vpn.jenkins.io`
+
+  > The generated key is in `./cert/pki/private/vpn.jenkins.io.key` **must** remain **secret**!
+
+* Sign the request as a "server" request:
+
+  ```shell
+  cd ./certs # Running the signing command from this folder is mandatory.
+  ./easyrsa --batch sign-req server vpn.jenkins.io
+  ```
+
+* Ensure that you git-added, git-commited and pushed the changes, without ANY secrets (which should be git-ignored)
+
+* Update the secrets in the encrypted hieradata for OpenVPN in <https://github.com/jenkins-infra/jenkins-infra>
+
 ## Docker
 
 ### Configuration
 
@@ -0,0 +1,129 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            f5:a6:7e:c4:99:5d:e4:fb:4b:05:11:bb:f7:15:2b:c5
+    Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN=vpn.jenkins.io
+        Validity
+            Not Before: Feb 28 14:56:58 2022 GMT
+            Not After : Feb 12 14:56:58 2025 GMT
+        Subject: CN=vpn.jenkins.io
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                Public-Key: (4096 bit)
+                Modulus:
+                    00:dd:1c:18:38:68:74:ef:ce:e2:a7:6a:fc:ce:35:
+                    90:b1:ed:e4:46:57:d8:72:d7:57:1f:2d:59:2f:48:
+                    6e:f1:0a:d4:fb:45:84:ba:e4:cc:bf:c0:36:ee:fd:
+                    2e:79:79:75:02:4d:ac:e1:e5:ac:00:89:79:fe:a2:
+                    14:b8:1c:6c:5e:a0:fb:09:45:75:b2:bc:40:27:c1:
+                    20:1d:b1:ed:53:ba:48:08:5c:96:de:1e:b5:18:98:
+                    fb:41:81:aa:64:69:a4:3a:cb:25:5b:39:02:a8:1c:
+                    5c:13:b9:9d:fa:f4:2c:2c:46:ff:b7:d6:3f:05:24:
+                    c7:dd:3b:c2:1e:1d:42:ec:5e:58:62:78:98:c9:6f:
+                    26:ff:9a:1e:a1:28:30:60:8b:4f:7b:94:6e:72:cc:
+                    d0:03:93:e0:50:41:d5:d3:7c:31:81:bf:96:28:04:
+                    54:2f:cb:35:b8:68:7c:df:5c:c6:46:6a:55:6d:20:
+                    59:cb:ac:43:79:c9:14:9c:85:1d:2f:aa:5c:58:2e:
+                    bd:50:bf:29:80:06:b7:29:58:62:5b:1c:ad:15:60:
+                    a0:12:42:6a:d9:85:e8:9c:24:b8:26:1c:87:6e:d6:
+                    36:8f:a9:35:cd:a1:b0:5d:59:60:01:cd:04:72:40:
+                    18:82:ee:6c:5a:89:27:5f:a8:19:32:94:fa:3f:e1:
+                    12:6b:c9:3d:0c:10:40:04:d4:bd:f1:18:89:07:40:
+                    4e:d0:f8:6d:fc:a3:6a:36:03:4e:63:46:9b:3e:47:
+                    8b:b2:5f:89:e5:da:c5:86:d3:a9:9d:af:eb:d1:34:
+                    3f:4a:1d:3e:75:80:69:6f:b5:77:61:cb:10:99:55:
+                    77:b2:c5:3c:56:60:a0:e1:fc:7f:38:79:0f:dc:cc:
+                    3b:12:cc:a0:44:e0:ec:da:14:b7:18:75:90:4e:bd:
+                    59:62:9e:5a:f3:8b:9f:8d:79:27:8b:86:a5:38:a9:
+                    87:43:60:26:38:df:86:fd:11:11:dd:38:5b:d7:5f:
+                    37:78:23:b0:3d:fa:7d:24:e2:d3:04:eb:3a:21:21:
+                    21:7e:4c:c2:aa:49:2b:e2:36:91:cc:ed:02:18:f5:
+                    74:71:36:d5:f9:9d:d4:d3:d3:84:f0:ec:3c:15:83:
+                    a7:74:ef:85:a1:44:dc:9e:4b:8e:ac:cc:01:46:33:
+                    c9:ca:6c:2d:ba:48:45:f8:20:c2:ff:9e:1f:ad:90:
+                    82:a3:ea:57:08:0d:94:56:47:6d:8b:34:bc:81:91:
+                    0c:d1:55:8a:da:78:b3:fe:a4:b8:3d:9d:a5:5c:96:
+                    87:c8:6a:f7:0f:a0:cd:1a:8f:f5:39:34:3c:4a:34:
+                    06:38:5c:d7:f0:f8:1d:49:63:b0:d9:99:9a:e1:aa:
+                    22:2f:59
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Basic Constraints: 
+                CA:FALSE
+            X509v3 Subject Key Identifier: 
+                4D:43:BB:B8:E5:5A:F7:5B:DF:41:4A:45:88:CA:69:85:BA:13:4C:FF
+            X509v3 Authority Key Identifier: 
+                keyid:87:A7:C5:75:37:0B:14:6C:BF:46:04:8C:2A:52:E9:5D:DA:51:DC:E6
+                DirName:/CN=vpn.jenkins.io
+                serial:08:01:AA:6D:1B:31:40:4F:7B:9C:75:54:54:78:B5:36:65:3B:7C:B3
+
+            X509v3 Extended Key Usage: 
+                TLS Web Server Authentication
+            X509v3 Key Usage: 
+                Digital Signature, Key Encipherment
+            X509v3 Subject Alternative Name: 
+                DNS:vpn.jenkins.io
+    Signature Algorithm: sha256WithRSAEncryption
+         7e:38:fa:0f:89:24:1b:10:9e:c3:89:8f:06:fd:6c:bd:db:34:
+         06:c0:6f:7e:c7:f2:60:5f:15:9d:8b:57:c3:78:4b:3e:41:a0:
+         66:ac:5c:a3:e1:b3:4d:a5:e3:e0:af:2d:0a:df:88:14:60:e6:
+         dc:47:45:c3:ba:16:c9:20:65:43:34:2c:f4:47:b7:aa:38:5e:
+         9f:a2:d1:10:ed:7a:7a:33:3a:d3:1c:56:ee:a9:01:d3:3c:f4:
+         83:66:9d:10:99:75:3b:fe:b5:a2:21:89:0b:39:64:9b:ce:ea:
+         30:22:c2:ba:23:48:f0:75:80:23:f4:e1:65:03:53:0a:9a:39:
+         9c:02:e6:ef:53:f4:4f:41:09:9f:78:7e:db:b0:cf:bb:4a:fd:
+         67:22:fe:a1:58:b5:fa:0d:c4:c6:be:a3:45:fc:11:1a:84:18:
+         78:26:7a:81:dc:ee:50:b4:88:07:2b:b6:90:6a:c7:81:cb:67:
+         bb:f7:cd:98:16:39:a4:75:6c:00:dd:0e:32:d6:62:d3:b6:2c:
+         03:0a:9d:7d:49:c6:3c:97:dc:81:c1:19:24:75:1e:ab:b8:82:
+         80:fd:5b:5e:67:06:42:21:3b:e0:1c:fe:5f:a9:84:f0:a0:7e:
+         38:45:6b:56:4a:63:8d:40:1d:ca:f9:a3:6f:e3:b2:00:b1:ff:
+         a4:09:c0:42:a6:86:4d:42:5a:37:a8:5b:57:36:83:f1:a8:b5:
+         a8:d5:07:4d:dd:c0:e8:5c:bc:9f:92:3a:72:b3:86:01:30:c5:
+         f3:cb:ff:3e:1f:18:f2:9c:bb:60:5d:09:35:e8:69:4b:d0:e6:
+         80:48:7b:2b:1c:31:19:88:43:c9:0e:4f:48:1a:cc:68:33:a3:
+         d8:3e:72:2b:11:cc:0a:65:2a:47:f9:3b:3e:3b:8a:b3:87:3a:
+         6a:1d:a5:de:9b:d8:05:72:d7:de:1d:05:81:c5:91:fe:1c:cc:
+         82:59:2b:d6:fd:e4:78:e6:4c:92:86:db:9f:9e:b1:86:99:cb:
+         90:71:00:fa:30:c8:57:23:cf:0d:2e:11:13:83:d2:0c:77:36:
+         85:a3:88:76:06:58:cc:7f:ab:cf:b6:92:de:19:f1:1d:cb:4c:
+         54:c8:f1:20:47:9a:5c:56:28:3c:16:99:41:dc:cd:41:a0:ca:
+         4f:3a:fb:e7:8b:38:8a:f9:ce:ff:75:42:cd:ad:26:a7:f6:aa:
+         3c:bc:50:3d:b5:b8:16:5d:d0:3c:ee:05:57:0c:38:ca:52:65:
+         c0:8f:5c:2d:18:1a:91:e8:a9:c1:4e:c0:5e:e2:b6:ce:ae:ee:
+         21:44:ac:68:3e:5f:94:3a:04:5a:60:43:07:03:4f:65:67:42:
+         25:f3:d3:c0:f6:86:e9:57
+-----BEGIN CERTIFICATE-----
+MIIFfjCCA2agAwIBAgIRAPWmfsSZXeT7SwURu/cVK8UwDQYJKoZIhvcNAQELBQAw
+GTEXMBUGA1UEAwwOdnBuLmplbmtpbnMuaW8wHhcNMjIwMjI4MTQ1NjU4WhcNMjUw
+MjEyMTQ1NjU4WjAZMRcwFQYDVQQDDA52cG4uamVua2lucy5pbzCCAiIwDQYJKoZI
+hvcNAQEBBQADggIPADCCAgoCggIBAN0cGDhodO/O4qdq/M41kLHt5EZX2HLXVx8t
+WS9IbvEK1PtFhLrkzL/ANu79Lnl5dQJNrOHlrACJef6iFLgcbF6g+wlFdbK8QCfB
+IB2x7VO6SAhclt4etRiY+0GBqmRppDrLJVs5AqgcXBO5nfr0LCxG/7fWPwUkx907
+wh4dQuxeWGJ4mMlvJv+aHqEoMGCLT3uUbnLM0AOT4FBB1dN8MYG/ligEVC/LNbho
+fN9cxkZqVW0gWcusQ3nJFJyFHS+qXFguvVC/KYAGtylYYlscrRVgoBJCatmF6Jwk
+uCYch27WNo+pNc2hsF1ZYAHNBHJAGILubFqJJ1+oGTKU+j/hEmvJPQwQQATUvfEY
+iQdATtD4bfyjajYDTmNGmz5Hi7JfieXaxYbTqZ2v69E0P0odPnWAaW+1d2HLEJlV
+d7LFPFZgoOH8fzh5D9zMOxLMoETg7NoUtxh1kE69WWKeWvOLn415J4uGpTiph0Ng
+Jjjfhv0REd04W9dfN3gjsD36fSTi0wTrOiEhIX5MwqpJK+I2kcztAhj1dHE21fmd
+1NPThPDsPBWDp3TvhaFE3J5LjqzMAUYzycpsLbpIRfggwv+eH62QgqPqVwgNlFZH
+bYs0vIGRDNFVitp4s/6kuD2dpVyWh8hq9w+gzRqP9Tk0PEo0Bjhc1/D4HUljsNmZ
+muGqIi9ZAgMBAAGjgcAwgb0wCQYDVR0TBAIwADAdBgNVHQ4EFgQUTUO7uOVa91vf
+QUpFiMpphboTTP8wVAYDVR0jBE0wS4AUh6fFdTcLFGy/RgSMKlLpXdpR3OahHaQb
+MBkxFzAVBgNVBAMMDnZwbi5qZW5raW5zLmlvghQIAaptGzFAT3ucdVRUeLU2ZTt8
+szATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBaAwGQYDVR0RBBIwEIIO
+dnBuLmplbmtpbnMuaW8wDQYJKoZIhvcNAQELBQADggIBAH44+g+JJBsQnsOJjwb9
+bL3bNAbAb37H8mBfFZ2LV8N4Sz5BoGasXKPhs02l4+CvLQrfiBRg5txHRcO6Fskg
+ZUM0LPRHt6o4Xp+i0RDtenozOtMcVu6pAdM89INmnRCZdTv+taIhiQs5ZJvO6jAi
+wrojSPB1gCP04WUDUwqaOZwC5u9T9E9BCZ94ftuwz7tK/Wci/qFYtfoNxMa+o0X8
+ERqEGHgmeoHc7lC0iAcrtpBqx4HLZ7v3zZgWOaR1bADdDjLWYtO2LAMKnX1JxjyX
+3IHBGSR1Hqu4goD9W15nBkIhO+Ac/l+phPCgfjhFa1ZKY41AHcr5o2/jsgCx/6QJ
+wEKmhk1CWjeoW1c2g/GotajVB03dwOhcvJ+SOnKzhgEwxfPL/z4fGPKcu2BdCTXo
+aUvQ5oBIeyscMRmIQ8kOT0gazGgzo9g+cisRzAplKkf5Oz47irOHOmodpd6b2AVy
+194dBYHFkf4czIJZK9b95HjmTJKG25+esYaZy5BxAPowyFcjzw0uEROD0gx3NoWj
+iHYGWMx/q8+2kt4Z8R3LTFTI8SBHmlxWKDwWmUHczUGgyk86++eLOIr5zv91Qs2t
+Jqf2qjy8UD21uBZd0DzuBVcMOMpSZcCPXC0YGpHoqcFOwF7its6u7iFErGg+X5Q6
+BFpgQwcDT2VnQiXz08D2hulX
+-----END CERTIFICATE-----
@@ -1,22 +1,23 @@
 -----BEGIN X509 CRL-----
-MIIDujCCAaICAQEwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOdnBuLmplbmtp
-bnMuaW8XDTIxMTEwNjExMDI0MVoXDTIyMDUwNTExMDI0MVowgfowIQIQLyl0wSdV
-YaDChwmRSfGTohcNMTkwMzE0MTYwMTM4WjAhAhB2JhHYvBVQGMqEhptloDRoFw0x
-OTExMjAwODQyNTlaMCICEQCXRw4x0qasTy+mA9NQtmHLFw0xOTAzMTMxNDA0MDla
-MCICEQCgsoX7NudBcTvhDstcL/LoFw0yMDA0MjgxOTEzMzVaMCICEQCqyP6Crypk
-ZiOX6L0MkqHJFw0xOTExMTUwOTI3MThaMCICEQC65Edmn6ksPcF6pYIvgQPIFw0x
-OTA0MjYwNzAxMDVaMCICEQDG9skL+P7CiGpzRK/U8CZDFw0yMDA1MTIwODE1MzFa
-oFgwVjBUBgNVHSMETTBLgBSHp8V1NwsUbL9GBIwqUuld2lHc5qEdpBswGTEXMBUG
-A1UEAwwOdnBuLmplbmtpbnMuaW+CFAgBqm0bMUBPe5x1VFR4tTZlO3yzMA0GCSqG
-SIb3DQEBCwUAA4ICAQCFbHNKokIQGBEq0u8pkQt65/JTue4UzkJ2sETV/V8HyP3Z
-IjFUEe64v2ak8yB/RcIawS0xTuXU9U9tDlRO8NOEjWNkTp11wp/7M1tbdcSrKm5g
-pavbH5E9w3fMNy3Oh8bSE9kxjuIsHzCcwfHtWez2cdfaPjZHIZas6pT0toS+Mzyr
-uWOl9K31pQMzetc5t3Ro9BpcrUe66WZT2o/BVrGeNrCrhCjNf/eje5cozdW94bEj
-mrMOf22Zp8SSzAkIcnnRNbiKpNk/+HGGVhYVZ7sph3OY530jUVxpXR40thpW2YxY
-BeKgKbGYaC6CfhN9xopv5pnGnJSl6+eDQohPiTe5ysBQ6jcO6z8euf7uoJoNPPz0
-nkTQN6XKOAuB+jOsul7+dmYNFG0iOLfTBHSJaNE9NiDu3FaL3viso3hbZph4uchL
-nNcxhLRQFVDCwUONRLzSf/bkCWOCkM9E6ui80d6gC0kdMcppzRAK3fvLIQU2e/UD
-ccGom9BQilF6ic4dkuxWc7R7eda41/naJMAHYvNEwIn4FCUWDfsGJG5Xcz68zvKN
-QEz/yl0NDD++wXDVqraFn4x1KqcK6HH2uAtc4PCzHQVA1xzCwXr7H9DK40t7SReu
-UjqxNy9cCSk1RXtvnACHMwq+9ZBRAQ4ird3pFQCSSUG+YRLUWiABR9W/NtdZig==
+MIID3jCCAcYCAQEwDQYJKoZIhvcNAQELBQAwGTEXMBUGA1UEAwwOdnBuLmplbmtp
+bnMuaW8XDTIyMDIyODE0MTYzNVoXDTIyMDgyNzE0MTYzNVowggEdMCECEC8pdMEn
+VWGgwocJkUnxk6IXDTE5MDMxNDE2MDEzOFowIQIQXJagk8GK5+IF3sj02HFU2RcN
+MjIwMjI4MTQxNjM1WjAhAhB2JhHYvBVQGMqEhptloDRoFw0xOTExMjAwODQyNTla
+MCICEQCXRw4x0qasTy+mA9NQtmHLFw0xOTAzMTMxNDA0MDlaMCICEQCgsoX7NudB
+cTvhDstcL/LoFw0yMDA0MjgxOTEzMzVaMCICEQCqyP6CrypkZiOX6L0MkqHJFw0x
+OTExMTUwOTI3MThaMCICEQC65Edmn6ksPcF6pYIvgQPIFw0xOTA0MjYwNzAxMDVa
+MCICEQDG9skL+P7CiGpzRK/U8CZDFw0yMDA1MTIwODE1MzFaoFgwVjBUBgNVHSME
+TTBLgBSHp8V1NwsUbL9GBIwqUuld2lHc5qEdpBswGTEXMBUGA1UEAwwOdnBuLmpl
+bmtpbnMuaW+CFAgBqm0bMUBPe5x1VFR4tTZlO3yzMA0GCSqGSIb3DQEBCwUAA4IC
+AQCgsyJq7iM/4K8E4UYWpAbzapCiQFmm29JS8fO/EPsXKc/jeVlFof69JzLJK8K+
+R0ninKD8x1ee1LiM+PNjGv+iWRMaMUA36z3fQ+X00dxBhIECd6e5uucYv5BFgKMf
+cmEPK2KG9oSyowf1BokU6tqOXFhzJL2/1anPONR+7KmsMI28IW7mljpREdYfUNu/
+XwjHoPp7kDkXt1Uf6kvfw8fExNElkvqoYjvzoI22uJpYN1JO1BPojGGu3hS5XCth
+DMC8n1K1hzyzxHycXvO/Qu8jKOb1RRRxwhc6WP/DmnykOW+1hIW/f1jahYRZY7ZQ
+LITOaf+a2EIs6dfGoKwufPAxNQhy787C1/QewpaVa+XXeN6fuSFkpnaAlTSFSyjB
+oOxfsmYEFz+071p+XB+M4Bnc1aciWdqpktjGHrdhT9baZpT1CX1HW5+M3eW9Ved2
+FkSLc26HdohS6Q1ZTpZ0Z4/33tw/WA1/4H0Bk7sM+O3E1Gz2bqoH5L7ogZd8bjUk
+hpnR6Md7m0Xkz7Yl3ic+iwRQFomqSyQQIXyvdUvS1WUZQi+4NRvnSVs7DegGrWFi
+sjXexdhhwWiUTWN6GWMztik4WY3PbbZceFyPZXrrnh4gvAa8MVL5LaduKJ4mWE1w
+ClYVTysgiXCBn9vUYrONnDEXPUR2KTFTcrPUS9qbuLVK2Q==
 -----END X509 CRL-----
@@ -0,0 +1,16 @@
+# X509 extensions added to every signed cert
+
+# This file is included for every cert signed, and by default does nothing.
+# It could be used to add values every cert should have, such as a CDP as
+# demonstrated in the following example:
+
+#crlDistributionPoints = URI:http://example.net/pki/my_ca.crl
+# X509 extensions for a server
+
+basicConstraints = CA:FALSE
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid,issuer:always
+extendedKeyUsage = serverAuth
+keyUsage = digitalSignature,keyEncipherment
+
+subjectAltName = DNS:vpn.jenkins.io
@@ -2,7 +2,7 @@ V	220225134045Z		ED1235183B4F946AB5BF9C2B12C9290E	unknown	/CN=olblak
 R	220225134302Z	190313140409Z	97470E31D2A6AC4F2FA603D350B661CB	unknown	/CN=olblak
 V	220225140553Z		386EE1565E54F1FC82198D81ECE60893	unknown	/CN=olblak
 R	220226125459Z	190314160138Z	2F2974C1275561A0C287099149F193A2	unknown	/CN=vpn.jenkins.io
-V	220226160325Z		5C96A093C18AE7E205DEC8F4D87154D9	unknown	/CN=vpn.jenkins.io
+R	220226160325Z	220228141635Z	5C96A093C18AE7E205DEC8F4D87154D9	unknown	/CN=vpn.jenkins.io
 V	220303141235Z		3011C7E81C67AF41BE24F1BA04DF84DC	unknown	/CN=danielbeck
 V	220312085551Z		42C98B07BB3A27C4CB638F38285E7EA6	unknown	/CN=jthompson
 V	220401132358Z		5796104BC5BBA01755C97100825FC7C5	unknown	/CN=wfollonier
@@ -28,3 +28,4 @@ V	240927090113Z		72067956C3F94720EDC22F3A194B44BA	unknown	/CN=hlemeur
 V	241127143801Z		6B21F3464BD2607FFCCF9F918E980156	unknown	/CN=smerle
 V	241127143839Z		1DD04C275D3D963F09C51542799D49BE	unknown	/CN=kevingrdj
 V	241127143854Z		3A9D35E238E98D0917C7AF2424D98859	unknown	/CN=abayer
+V	250212145658Z		F5A67EC4995DE4FB4B0511BBF7152BC5	unknown	/CN=vpn.jenkins.io
@@ -0,0 +1 @@
+unique_subject = no
@@ -0,0 +1,30 @@
+V	220225134045Z		ED1235183B4F946AB5BF9C2B12C9290E	unknown	/CN=olblak
+R	220225134302Z	190313140409Z	97470E31D2A6AC4F2FA603D350B661CB	unknown	/CN=olblak
+V	220225140553Z		386EE1565E54F1FC82198D81ECE60893	unknown	/CN=olblak
+R	220226125459Z	190314160138Z	2F2974C1275561A0C287099149F193A2	unknown	/CN=vpn.jenkins.io
+R	220226160325Z	220228141635Z	5C96A093C18AE7E205DEC8F4D87154D9	unknown	/CN=vpn.jenkins.io
+V	220303141235Z		3011C7E81C67AF41BE24F1BA04DF84DC	unknown	/CN=danielbeck
+V	220312085551Z		42C98B07BB3A27C4CB638F38285E7EA6	unknown	/CN=jthompson
+V	220401132358Z		5796104BC5BBA01755C97100825FC7C5	unknown	/CN=wfollonier
+R	220402111448Z	190426070105Z	BAE447669FA92C3DC17AA5822F8103C8	unknown	/CN=jvz
+R	220410073601Z	200428191335Z	A0B285FB36E741713BE10ECB5C2FF2E8	unknown	/CN=jvz
+V	220528114837Z		FB830747EB5BD0C6F287415917D136F6	unknown	/CN=mpapo
+V	220812064157Z		27E43A7171A5D0C89DEB18DD3AEA2DCB	unknown	/CN=slide_o_mix
+V	221027090425Z		4745D8A5799391B39F61AD90BAEB5B39	unknown	/CN=aheritier
+R	221028084905Z	191115092718Z	AAC8FE82AF2A64662397E8BD0C92A1C9	unknown	/CN=oleg-nenashev
+R	221030092755Z	191120084259Z	762611D8BC155018CA84869B65A03468	unknown	/CN=olivergondza
+V	221030143901Z		FE084F22FFC74DF39D6A2572C5E3A7C5	unknown	/CN=oleg_nenashev
+V	221104084514Z		50A54409248CC2C2E8B39BB934C7D2FB	unknown	/CN=olivergondza
+V	221118134116Z		A2E5F244F969721692435E055905B96A	unknown	/CN=timja
+V	221230084358Z		509010714DCE43AA1B60B7784017D165	unknown	/CN=halkeye
+V	230208124814Z		D140E37035BD34D44A5BF566AD25BD3F	unknown	/CN=markewaite
+V	230323075811Z		5A668B1DDAE2D89811D7785E6D14BC95	unknown	/CN=jequals5
+R	230413191913Z	200512081531Z	C6F6C90BF8FEC2886A7344AFD4F02643	unknown	/CN=jvz
+V	230427081910Z		615D72E8F173843620C2861C22606AB5	unknown	/CN=jvz
+V	230622073913Z		8BAC8950E336534A504D7835FB2A4D4B	unknown	/CN=vsilverman
+V	230920073521Z		C4685539F6177F6FE949C187647E563A	unknown	/CN=garethjevans
+V	231201162546Z		25871E0133857E2C9B175FFDFF0C1B3A	unknown	/CN=dduportal
+V	240927090113Z		72067956C3F94720EDC22F3A194B44BA	unknown	/CN=hlemeur
+V	241127143801Z		6B21F3464BD2607FFCCF9F918E980156	unknown	/CN=smerle
+V	241127143839Z		1DD04C275D3D963F09C51542799D49BE	unknown	/CN=kevingrdj
+V	241127143854Z		3A9D35E238E98D0917C7AF2424D98859	unknown	/CN=abayer